Mobile Device Setup: Android

Proxy Setup

When using the Interactive crawling of a mobile application backend option in WebApps Information Gathering, you need to configure your Android device to connect through the proxy module that is created by Core Impact.

Below are the basic steps to make this configuration on your Android device:

As the steps we have documented here may not reflect your device exactly, please refer to the documentation that was provided with your device.

  1. Navigate on the Android device to Apps > Settings > Wi-Fi.
  2. Long press the wireless network to which you are connected.
  3. Click on Modify network.
  4. Check the Show advanced options option.
  5. Change Proxy settings from None to Manual.

  6. Enter the Wifi Proxy Host and Wifi Proxy Port fields with the Core Impact web proxy address and port respectively. These are found in the Module Output pane after you have run the WebApps Information Gathering RPT wizard (as shown in the below example).

    Module Output

    figure 26 - Module Output

Install SSL CA Certificate

When using the Interactive crawling of a mobile application backend option in WebApps Information Gathering, if the mobile app performs SSL connections with the backend server, you need to configure your mobile device with the Core Impact certificate file.

Below are the basic steps to make this configuration on your Android device (version 4.0 or higher). Below are the steps to add the certificate to the User trusted certificates, but you could also add it to the System list:

As the steps we have documented here may not reflect your device exactly, please refer to the documentation that was provided with your device.

  1. Move the certificate file (impact-wa.crt) located on the Core Impact computer in %ProgramData%\IMPACT\components\modules\webapps\install\data to the internal flash storage's root folder on the Android device.
  2. Navigate on the Android device to Settings > Security > Install from device storage.
  3. A window should pop with the impact-wa certificate name. Select OK.
  4. If it is the first user certificate you install, the Android Security Model forces you to use a lock-screen to unlock your device.
  5. Check if the certificate file is installed correctly by navigating to Settings > Security > Trusted credentials > User. The User section should now list the certificate named CoreST.