Hi All,
Recently while performing application testing I came across new application which is based on .jar file.
The major problem with this type of application is
- Its only supported on older devices (Nokia 5233,Nokia C2-01 etc)
- No Wifi or internet connection.
The requirement for testing such application come from the vendor who want to give their application to the village people or rural area where people having less connectivity of internet or no connectivity.
Every sensitive transaction is possible via SMS ;) I hope you got why this type of testing is still required.
Application details:-
- .jar file given to you for testing
- Supported on older version of mobile devices (Nokia 5233,Nokia C2-01 etc)
- This phones does not support any WI-FI connection.
- Application does not have any internet connection. (GPRS etc)
So in short you have to test the application which does not have any internet connection. At this point of time you must be thinking about normal mobile app sec testing in which we set the proxy and intercept the request and bla bla... Though the catch here is without using internet you have to perform the testing.
Initially I was searching on google if I can get any useful material etc though I didn't found it. At the end thanks to Null groups and thanks to @Akash for replying me quickly and helping me.
Set up for testing .jar based application
Below is simple step by step process for setting up test bed for testing .jar based application
Step 1:- You will require emulator in which you can run your .jar files. The best emulator to use for such type of testing is KEmulator you can download the set up from here.
Step 2:- After downloading this setup unzip it and launch .exe file with name KEmulator
Step 3:- Load the jar file as below
Step 5:- You are now all good to go.
Step 6:- At this point of time the loaded application will behave as a thick client.
Really ? Hold on few points to remember :-
Notes:-
1] In my case .jar file using no HTTP or HTTPS traffic so but obvious you will not able to see any request response etc. Just check for the code level bug or check whether developer have obfuscated the code or not. For this you can use JD-GUI tool.
Really ? Hold on few points to remember :-
Notes:-
1] In my case .jar file using no HTTP or HTTPS traffic so but obvious you will not able to see any request response etc. Just check for the code level bug or check whether developer have obfuscated the code or not. For this you can use JD-GUI tool.
2] If your .jar file using either HTTP or HTTPS traffic then you can use Use Echo Mirage tool OR burp suite or fiddler to perform the further testing.
Apart from this I also found another nice article for doing the same testing.
I hope this will help other penetration tester where client ask to test such application.
Happy Hacking :)
Happy Hacking :)
EmoticonEmoticon