3

I know that I have not handled MiTM in my Android application and it might be vulnerable. I want to test scenario by connecting my Android phone via proxy (my laptop) and using any possible tools to check for MiTM attack.

Simon Bennetts
  • 5,479
  • 1
  • 14
  • 26
Hussain Mansoor
  • 2,934
  • 2
  • 27
  • 40

1 Answers1

4

You'll need to:

  1. Install the ZAP root CA cert as a trusted root CA cert on your device
  2. Set up ZAP on a computer and set the host it uses as blank so that it listens on all IP addresses
  3. Configure your device to proxy through that computer

Theres a video + description whith more details here: https://security.secure.force.com/security/tools/webapp/zapandroidsetup

Simon Bennetts
  • 5,479
  • 1
  • 14
  • 26
  • If I create my own CA cert and add it on my device as trusted cert. Then there's no attack in this. Its a trusted cert and it should work. I don't think its MiTM attack then. – Hussain Mansoor Jul 13 '16 at 04:04
  • 1
    Those instructions were to set up ZAP so that it can scan your application effectively. If you just want to check that a MiTM attack cant see / change any of your apps communications then do the same things but without installing the ZAP root CA cert. If ZAP shows any non encrypted traffic then your app will be vulnerable to untrusted MiTM attacks. – Simon Bennetts Jul 13 '16 at 08:09