The theme of day 2 in the #30daysoftesting is mobile proxy tools
30 Days Of Mobile Testing, day 2: Use a proxy tool, for example Charles Proxy, to intercept the traffic between the app and the back-end. For example, check the calls for encryption and describe your findings.
So… until this day, I don’t think I ever thought about what a proxy tool actually is. I remember reading about using proxy tools for watching online television in other countries.. But that’s it. I never worked with proxy tools before, and I honestly have no idea what .
What is a proxy tool?
If you look up Charles Proxy
, and read about what the program does, you’ll get the following details:
Charles is a web proxy (HTTP Proxy / HTTP Monitor) that runs on your own computer. Your web browser (or any other Internet application) is then configured to get access to the Internet through Charles, and Charles is then able to record and display for you all the data sent and received.
So far so good.
I downloaded and installed Charles Proxy on my laptop. Then I opened Charles and after a few seconds, the program started reading and displaying the traffic between my laptop and the network. In my case, the first 40 entries was from an add-on to a java application that I use to play the online browser-based game Kingdom Of Loathing:
Charles tells me that the plugin “relay_Guide.ash” sends information quite often over my network. Interesting. Since the add-on changes the GUI in my browser, it makes sense that it needs to update every time I do something in the game.
Now for the network traffic of my smart phone. I had some problems figuring this part out, but ended up finding a small guide
that helped me set up the phone’s wireless connection to go through Charles. In short you need to set your phone’s wi-fi proxy setting to “manual” and enter your computer’s IP. I opened two different apps on my phone, the Pinterest and Asos apps.
Asos sends a lot more information compared to Pinterest. I couldn’t find any non-encrypted traffic, so everything that went back and forth between the apps and Charles basically looked like this:
All in all I now have an idea about what proxy tools do. I’m sure that there are apps out there that display more information than necessary in the traffic, and if that traffic is intercepted, you could obtain a lot of vulnerable data.
The 30 Days Of Mobile Testing is the creative effort of Ministry of Testing, and anyone can join in. See more at https://dojo.ministryoftesting.com/lessons/30-days-of-mobile-testing