In the world of mobile application development, security testing is often neglected. However, it's just as important with mobile apps as it is with websites and other software platforms. Mobile apps are vulnerable to a number of different types of attacks, including viruses and phishing scams. In this article we'll discuss five tools that can help you test your app for vulnerabilities before launching it in the market.
Burp Suite is a web security testing tool that includes Burp Proxy, which can be used to intercept and modify HTTP traffic. It was originally developed by PortSwigger Web Security.
This tool lets you check for many types of vulnerabilities and errors in your web applications. It also provides some other useful features like:
Burp Suite offers a free community edition with limited features but still works great for capturing HTTP traffic and websocket communications.
MITM Proxy is a tool that allows you to intercept and modify traffic between two devices. It's often used for security testing, network management, and other purposes that are outside our scope here. But it can also be used to assess mobile apps and web apps by intercepting requests and responses as they travel through the Internet. This allows you to see what data your app is sending over the network so you can identify potential vulnerabilities like XSS (cross-site scripting) or SQL injection issues.
MITM Proxy is a free and opensource platform that is a good alternative to Burp Suite. It's not a feature rich as Burp Suite, but is still a great tool for HTTP proxy testing with mobile apps and websites.
ADB - Android Debug Bridge
ADB is a tool used to communicate with an Android device over USB. It allows you to run commands and transfer files between the host computer and your phone, such as when you want to install apps or pull logs from the device. ADB can also be used in the background of other programs (like the Android Studio IDE) so that you can see what's going on in your app while it's running.
You can get ADB for Windows, macOS and Linux from this page at Google. You'll need Java installed on your computer for this link to work properly (if not already present). This guide will assume that you're running a 64-bit version of Windows 10 with Admin access available through Command Prompt or PowerShell (administrator rights are needed so that we can execute some commands). You’ll also need an active internet connection since we have some packages from GitHub which will be downloaded during installation process.
Frida is a dynamic instrumentation toolkit that can be used for Android, iOS (if you're on macOS), and Windows. It's one of the most popular tools for mobile app security testing because of its ease of use and flexibility.
Frida is designed to be used from Python with bindings for other languages such as JavaScript. Because it's written in C++, Frida supports multiple platforms without any modifications.
The main use of Frida in mobile app testing, is its ability to help you bypass SSL certificate pinning which is a safeguard against our MITM proxy setup to capture HTTPS traffic. Frida has several pre-built SSL pinning bypass scripts that you can use and should suffice for most use cases.
Vysor is a tool that allows you to connect your phone or tablet to your computer and see what the device is doing on the screen. This can be useful for debugging, testing the UI of an app, or simply checking out how an app looks in action.
Once it's connected, you can use Vysor as if it were a second monitor (just like any other application). You can even use keyboard shortcuts to control the device from afar!
A really solid use case for Vysor, is to use it with a screen recorder. With Vysor, you can record your testing sessions by capturing both the mobile app screen and the captured traffic in Burp Suite or MITM Proxy - this allows you to review your testing sessions later to help determine what actions resulted in specific network traffic.
As you can see, there are a lot of tools available for mobile app security testing. While some require an Android device or iOS device (like MITM proxy), others like Burp Suite do not. If you want to test your app on multiple devices at once, then Frida and Vysor will be useful tools. And if all else fails, there is always good old fashioned manual testing!