Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Using Mobile Applications for attacking Web Applications

This simple blog post was motivated by my desire to look atsome mobile applications that I happen to use. I did not choose a specific methodology for testing mobileapplications. What I did was to use some of my knowledge in testing webapplications in general.

To my pleasant surprise I got results that made​​me happy, or not.

01 - Catalog Application.

Starting my tests, on the first application Inoticed the web server authentication credentials are simply sent in plain textusing a POST method.


Most of these mobile applications are just simple frontendsfor web services.

This behavior has been confirmed in all tested applications.

Some examples.

02 – Auction Application

Screen Shot 2012-09-26 at 2.23.01 PM

Let's start intercepting the requests of the mobileapplication and doing a simple SQL Injection test:


In this specific case it was possible to notice that the applicationconsumed by Mobile Application is vulnerable to SQL Injection attacks.

So, one would ask, should I be attacking a Web Applicationor the Mobile Application?

The answer for this question is easy, go for the WebApplication.

Extracting information'svia SQL Injection:





After that, I'm hungry… and I love sandwich!!

03 – Fast-food Delivery Application

Ohhh no… another application that my credential in beingsent in plain text.



Because it is a Mobile Application developers might beforgetting the basics of security.

If your Mobile Application is a simple frontendthe same concepts of web security must be considered. Think about it and check some of the followingreferences for security best practices:

OWASPDevelopment Guide.

OWASP Transport Layer Protection.

OWASP SSL Best Practices.