Highlighted
AutoDan Absent Member.
Absent Member.
11861 views

Native Mobile App Scanning

Jump to solution

Hi,

 

I was wondering whether any of the community has had success with the newish Native Mobile Web Service Scanning capabilities of WebInspect 10.2?

 

If so, was it using an emulator or a physical device and was it for iOS or Android? 

 

I have been banging my head against a wall trying to get it to work with the Android Emulator for over a week with little success, but to be honest this may be less an issue with WebInspect and more an issue with the Android Emulator. If anyone has had success using this feature with an Android Emulator, would you be able to offer any advice?

 

I've also come to believe it may not be possible to conduct a Native Mobile Scan using a physical Android device. As changes to the proxy settings on these devices only apply to the browsers and have no affect on the applications installed (see http://forum.xda-developers.com/showthread.php?t=1369460) Has anyone been able to get around this?

 

As for the iOS Emulator, I understand this will only run on MacOSX and as such a mac computer would need to be attached to the network,  is this correct? I've noticed that a lot of the WebInpsect help on Native Scans seems to be ios-centric is there a reason for this?

 

Any help would be much appreciated.

 

Cheers,

 

Dan

 

 

Labels (1)
Tags (4)
0 Likes
1 Solution

Accepted Solutions
AutoDan Absent Member.
Absent Member.

Re: Native Mobile App Scanning

Jump to solution

Hi Tami et all,

 

I have found a solution to this by using Burp Suite instead of WebInspect to record the traffic and then importing this traffic into WebInspect's Native Scan Wizard. Note: This method requires a Burp Suite Professional license (Approx $300 US). If using the free version of Burp it is still possible but requires a bit more effort and use of the HTTP Editor. 

 

For some reason I have no issue intercepting Native App Traffic from the Android Emulator using Burp, whereas i have been unsuccessful in my attempts with WebInspect and the HP Web Proxy. I believe this may have something to do with the issue outlined in the following article - http://www.mathyvanhoef.com/2013/06/transparent-interception-of-android.html

 

Would be interested to hear if anyone has had success getting this to work purely through WebInspect.

 

Cheers,

 

Dan

 

 

 

 

0 Likes
9 Replies
Tami G Absent Member.
Absent Member.

Re: Native Mobile App Scanning

Jump to solution

Several of us are having this exact same issue.  Any advice would be greatly appreciated.

0 Likes
AutoDan Absent Member.
Absent Member.

Re: Native Mobile App Scanning

Jump to solution

Hi Tami,

 

How far has your team got with this and what are the issues your experiencing? In particular, are you looking at Android or iOS and are you using a physical device or emulator?

 

I've also tried capturing the web traffic of the Android Emulator using the HP Web Proxy and am able to see the requests and responses for HTTP (not HTTPS) however the responses don't seem to get back to my emulator. I'm guessing i may need to open a port on the emulator as it sits behind its own emulated router?

 

I've also noticed that WI10.3 provides native scanning for Windows Mobile, will be interesting to see if this is anymore straight forward that iOS and Android. Probably wont upgrade just yet though.  

 

Dan

0 Likes
AutoDan Absent Member.
Absent Member.

Re: Native Mobile App Scanning

Jump to solution

Looking at this as a possible solution http://code.google.com/p/androidproxy/

Tags (1)
Tami G Absent Member.
Absent Member.

Re: Native Mobile App Scanning

Jump to solution

AutoDan,

 

I like that solution!  Thanks for finding that!

 

We are using the emulator within WebInspect.  And we are running 10.20 on my machine and 10.30 on the other -  at this time I don't recommend an upgrade as he hasn't been able to get into WebInspect since he upgraded.

 

I've followed the instructons to configure the manual proxies but nothing has worked so far.

 

I will be looking into the solution you found next.

 

Tami

0 Likes
AutoDan Absent Member.
Absent Member.

Re: Native Mobile App Scanning

Jump to solution

Thanks Tami, please let me know how your team progresses with this. 

 

We are in the process of installing the Emulator and HP Security Toolkit on a standalone machine to determine whether our internal firewall/proxy setup could be a factor, before looking at AndroidProxy. Worse case im hoping we can record the traffic with Burp Suite and then import it into WI. 

 

Hoping someone from the WI Tech Team can also offer some advice 🐵

 

Cheers,

 

Dan

0 Likes
AutoDan Absent Member.
Absent Member.

Re: Native Mobile App Scanning

Jump to solution

Hi Tami et all,

 

I have found a solution to this by using Burp Suite instead of WebInspect to record the traffic and then importing this traffic into WebInspect's Native Scan Wizard. Note: This method requires a Burp Suite Professional license (Approx $300 US). If using the free version of Burp it is still possible but requires a bit more effort and use of the HTTP Editor. 

 

For some reason I have no issue intercepting Native App Traffic from the Android Emulator using Burp, whereas i have been unsuccessful in my attempts with WebInspect and the HP Web Proxy. I believe this may have something to do with the issue outlined in the following article - http://www.mathyvanhoef.com/2013/06/transparent-interception-of-android.html

 

Would be interested to hear if anyone has had success getting this to work purely through WebInspect.

 

Cheers,

 

Dan

 

 

 

 

0 Likes
Tami G Absent Member.
Absent Member.

Re: Native Mobile App Scanning

Jump to solution

@AutoDan wrote:

Hi Tami et all,

 

I have found a solution to this by using Burp Suite instead of WebInspect to record the traffic and then importing this traffic into WebInspect's Native Scan Wizard. Note: This method requires a Burp Suite Professional license (Approx $300 US). If using the free version of Burp it is still possible but requires a bit more effort and use of the HTTP Editor. 

 

For some reason I have no issue intercepting Native App Traffic from the Android Emulator using Burp, whereas i have been unsuccessful in my attempts with WebInspect and the HP Web Proxy. I believe this may have something to do with the issue outlined in the following article - http://www.mathyvanhoef.com/2013/06/transparent-interception-of-android.html

 

Would be interested to hear if anyone has had success getting this to work purely through WebInspect.

 

Cheers,

 

Dan

 

 

 

 


AutoDan, this is excellent news!  Thank you very much.  🙂

0 Likes
Kasturi1 Absent Member.
Absent Member.

Re: Native Mobile App Scanning

Jump to solution

Native Mobile Web Service Scanning capabilities of WebInspect 10.2  has been suceeded  using an emulator.

 

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Native Mobile App Scanning

Jump to solution

Kasturi1;

 

Thanks for reawakening this.  You are correct, starting with WebInspect 10.20 (currently at 10.40) we have added Native Mobile App testing to the Guided Scan Wizard.  This supports iOS devices, Android devices, Windows devices, iOS emulators, and Android emulators.  The basic premise is very similar to the old Manual Step-Mode scan, with WebInspect being defined as a Man-in-the-Middle and the user manually exercising the mobile app through it, followed by an Audit phase in WebInspect.  In essence we are recorded the user's sessions like a Workflow for driving the scan later.

 

 

 

When I was tinkering with this for a demo, I found the hardest part was that each mobile device has different menus for setting its network proxy, and you must enable Airplane Mode to force it to stay on the network and not disappear into the air.   😉 

 

 

 

 

I also noted an issue with scan re-use and its workaround.

 

Issue:  On the first day (Day1), the mobile device had a local LAN IP and I recorded the sessions and scanned it.  I saved the scan's settings for re-use.  On the next day (Day2), the device was assigned a different IP address, so when I used the saved settings file, I had Day1 events with the old IP and Day2-added events with the current IP.

 

Workaround:  In the Guided Scan Wizard, click the Advanced button at the top to open the Current Scan Settings  Go to the Filters panel and define a filter that changes the old IP to the new IP (today's) for all HTTP Requests.  Proceed through rest of scan!


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.