View a video walkthrough for ZAP
|ZAP Home Page|
Why did we build ZAP? Being a inline security solution inspecting web traffic, it's imperative that we're able to not only analyze traditional web traffic, but also web traffic sent by mobile applications. While we think of mobile apps as native software, in many ways they behave like custom web browsers, leveraging HTTP(S) for communication. We therefore started building ZAP as an internal resource to analyze mobile app traffic, but quickly realized that people are all too trusting of mobile apps downloaded from an 'official' app store. Leveraging ZAP, our research has shown that apps commonly expose privacy and security risks from sending passwords in clear text to sharing personally identifiable information (PII) with third parties and that's why we're also releasing a public version of ZAP - to empower people to see this for themselves.
SearchThe easiest way to leverage ZAP is to search through the historical results. Simply by typing the name of a mobile application in the search field, you can see if it has previously been analyzed. To further refine your search, you can additionally include the OS name (iOS or Android).
|Sample ZAP Search Results|
- Authentication - Username/password information sent in clear text or using weak encoding methods
- Device Metadata Leakage - Transmission of device information such as the UDID (Unique Device Identifier), MAC address or details about the operating system
- PII Leakage - Sharing personally identifiable information such as phone numbers, email addresses, mailing addresses, etc.
- Exposed content - Communication with third parties such as advertisers and analytic firms
ScanThe true power of ZAP comes from it's ability to empower anyone to capture and analyze the web traffic from a mobile application. In order to accomplish this, we leveraged an excellent web proxy known as mitmproxy, built a front end to interface with it and created engines to automatically analyze the captured traffic to hilight security/privacy issues.
Scanning an application is as simple as pointing your phone to ZAP and using the application that you want to analyze - that's it. View the video below for a detailed walkthrough of the scanning functionality, but overall, it's a simple six step process as noted in the image below.
VideoThe video below provides a detailed walkthrough of all ZAP functionality.
We look forward to hearing your feedback on how we can continue to improve ZAP, so please take it for a test drive and let us know what you think. There are many mobile apps that expose users to security/privacy risks and to date, the app store gatekeepers aren't doing an adequate job of protecting end users from these threats. Using ZAP you can help analyze the ever growing list of mobile apps and reveal those that are putting users at risk.