Abstract
Video’s were in 4 parts those are linked below
AI Generated Summary
This presentation covered practical techniques for security testing mobile applications, distinguishing between browser-based and installable applications. The rapid growth of mobile users and accelerated development cycles were cited as drivers for increased security assessment needs.
For browser-based applications, the talk demonstrated how to manipulate HTTP headers like User-Agent and Accept using browser add-ons (e.g., Live HTTP Headers, WML Browser) to access mobile-specific content from a desktop. This allows for easier traffic interception, automated tool usage, and data validation testing without the constraints of a mobile device’s interface. The server’s content negotiation based on these headers was shown through multiple live examples.
For installable applications (primarily Java MIDlets), the focus shifted to analyzing application fingerprints on the device filesystem. The presented method involved calculating MD5 hashes of relevant directories before and after application use (e.g., sending/receiving email). Comparing these hashes reveals files created or modified by the app, aiding in understanding its data storage behavior and potential areas for reverse engineering. The feasibility of this approach depends on device memory access; phones with external memory or rooted access are preferable, as some (like older Nokia S40 series) restrict internal filesystem access.
Key practical takeaways include: using desktop browsers with header manipulation to simplify testing of mobile web apps, and employing filesystem hashing to identify persistent data and operational artifacts of installed mobile applications. The techniques aim to overcome the ergonomic and access challenges inherent in mobile security assessment.