Using Mobile Applications for attacking Web Applications

This simple blog post was motivated by my desire to look atsome mobile applications that I happen to use. I did not choose a specific methodology for testing mobileapplications. What I did was to use some of my knowledge in testing webapplications in general.

To my pleasant surprise I got results that made​​me happy, or not.

01 - Catalog Application.

Starting my tests, on the first application Inoticed the web server authentication credentials are simply sent in plain textusing a POST method.


Most of these mobile applications are just simple frontendsfor web services.

This behavior has been confirmed in all tested applications.

Some examples.

02 – Auction Application

Screen Shot 2012-09-26 at 2.23.01 PM

Let's start intercepting the requests of the mobileapplication and doing a simple SQL Injection test:


In this specific case it was possible to notice that the applicationconsumed by Mobile Application is vulnerable to SQL Injection attacks.

So, one would ask, should I be attacking a Web Applicationor the Mobile Application?

The answer for this question is easy, go for the WebApplication.

Extracting information'svia SQL Injection:





After that, I'm hungry… and I love sandwich!!

03 – Fast-food Delivery Application

Ohhh no… another application that my credential in beingsent in plain text.



Because it is a Mobile Application developers might beforgetting the basics of security.

If your Mobile Application is a simple frontendthe same concepts of web security must be considered. Think about it and check some of the followingreferences for security best practices:

OWASPDevelopment Guide.

OWASP Transport Layer Protection.

OWASP SSL Best Practices.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.