This week’s security app is a clever little online tool called Zscaler Application Profiler (ZAP). Developed by security fir Zscaler, ZAP allows users to scan their iOS and Android apps to check them for security issues.
ZAP basically analyzes the traffic generated by the mobile app to search for any privacy or security risks.
There are four main categories that influence the overall score of an app: authentication, device metadata leakage, exposed content, and personally identifiable information leakage.
You can check out the security level of an app searching through historical results by typing in the apps name. You can also perform the audit yourself by installing a web proxy known as mitmproxy and by making a couple of simple modifications to your Internet connection settings.
In a practical example we have detailed earlier, ZAP was utilized to identify a cross-site scripting (XSS) vulnerability in ESPN ScoreCenter. Besides the XSS issue, ZAP has also found that the iOS application is actually transmitting users passwords via an unsecure connection.
Zscaler has made a 10-minute video in which it shows how ZAP can be used and how to interpret the results.