David Lindner and myself recently presented at AppSec USA 2012 on the issues we’ve encountered trying to proxy mobile application traffic. We were fortunate to have a great spot, located right after the first keynote. There were some other great looking talks going on, so we really appreciate everyone that attended. Feedback on the content has been very positive thus far, but if we missed something or got it wrong please leave a comment below.
The talk covered what process we have been following to get proxy tools, like Burp Suite, to work on Android and iOS. It’s been pretty inconsistent and still evolving, but keep in mind these are just the experiences we’ve had. We aren’t trying to claim we have all the solutions, which is why we’re contributing the information to OWASP in an effort to develop community driven Mobile Testing Guides. Here are a few key take aways:
- Learn how to setup an intercepting proxy. Android or iOS, SSL or non-SSL, device or emulator/simulator.
- Learn about overcoming edge cases with a forward proxy.
- Brief overview and references for Android binary APK hacking and reverse engineering.
Many thanks to Aspect Security for sending us out to beautiful Austin, TX. You can catch the slides and video of the presentation here:
2012-Mobile_Applications_and_Proxy_Shenanigans.pdf
Mobile Applications & Proxy Shenanigans – Dan Amodio and David Linder from OWASP AppSec USA on Vimeo.
Posted on December 8, 2012