[WEB SECURITY] Security Testing of Mobile Apps
Arun Sundaresh
arunsundaresh at gmail.com
Wed Dec 3 16:39:50 EST 2008
Hi Billy,
Thanks for the info!
>From the discussion, I understood that for web-based mobile apps, we can use
the general web app scanners by just changing the user agent of the scanning
tool.
But how about the security assessment of client-server apps for mobile? say
for example, a voice mail client which notifies the user whenever there is a
new voicemail and based on user's request, client will contact the server
component to pull the voicemail and play it.
Thanks,
Arun Sundaresh. R
On Wed, Dec 3, 2008 at 2:37 PM, Hoffman, Billy <billy.hoffman at hp.com> wrote:
> Mobile XHTML is just a subset of XHTML with limits on tags, certain form
> elements, and some JavaScript limitations. In other words scanning mobile
> XHTML websites should be a subset of scanning regular websites. It should
> just be a matter of changing the user agent of the scanning tool which can
> be easily done in the tools settings or by running its traffic through a
> "find-and-replace" proxy to give you an appropriate mobile user agent.
> Otherwise a lot of mobile sites (m.facebook.com, etc) will 302 you if you
> don't have a mobile browser user-agent.
>
>
>
> I don't know of anything that can handle WAP/WML or i-mode.
>
>
>
> Billy Hoffman
>
> --
>
> Manager, HP Web Security Research Group
>
> HP Software – Application Security Center
>
> Direct: 770-343-7069
>
>
>
> *From:* Arun Sundaresh [mailto:arunsundaresh at gmail.com]
> *Sent:* Wednesday, December 03, 2008 2:51 PM
> *To:* websecurity at webappsec.org
> *Subject:* [WEB SECURITY] Security Testing of Mobile Apps
>
>
>
> Hi All,
>
>
> Greetings!
>
> Is anybody in this distro involved in the security testing of mobile device
> apps? If so, could you please let me know the methodology that you follow to
> perform the security testing on the mobile device apps.
>
>
>
> I would like to know the following details:
>
> 1. How will you perform security assessment of applications developed for
> mobile phones?
>
> 2. What are the different types of testing that you would do?
>
> 3. Do you use some automated vulnerabilty assessment tools for testing the
> mobile applications?
>
> Thanks,
> Arun Sundaresh. R
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20081203/51607912/attachment.html>
More information about the websecurity
mailing list