After many months of hard work by the ThreatLabZ Team, I'm very pleased to unveil ZAP (Zscaler Application Profiler). ZAP makes it easy for anyone to determine the risk posed by a given mobile application. Users can do this by either looking up past results, or more importantly, proactively scan any iOS/Android app.
Why did we build ZAP? Being a inline security solution inspecting web traffic, it's imperative that we're able to not only analyze traditional web traffic, but also web traffic sent by mobile applications. While we think of mobile apps as native software, in many ways they behave like custom web browsers, leveraging HTTP(S) for communication. We therefore started building ZAP as an internal resource to analyze mobile app traffic, but quickly realized that people are all too trusting of mobile apps downloaded from an 'official' app store. Leveraging ZAP, our research has shown that apps commonly expose privacy and security risks from sending passwords in clear text to sharing personally identifiable information (PII) with third parties and that's why we're also releasing a public version of ZAP - to empower people to see this for themselves.
The easiest way to leverage ZAP is to search through the historical results. Simply by typing the name of a mobile application in the search field, you can see if it has previously been analyzed. To further refine your search, you can additionally include the OS name (iOS or Android).
Sample ZAP Search Results
In the sample results above, you'll note that the application receives an overall score out of 100 with high numbers representing a greater security/privacy risk. Detail is also provided on the following four categories which influence the overall score:
Authentication - Username/password information sent in clear text or using weak encoding methods
Device Metadata Leakage - Transmission of device information such as the UDID (Unique Device Identifier), MAC address or details about the operating system
PII Leakage - Sharing personally identifiable information such as phone numbers, email addresses, mailing addresses, etc.
Exposed content - Communication with third parties such as advertisers and analytic firms
The true power of ZAP comes from it's ability to empower anyone to capture and analyze the web traffic from a mobile application. In order to accomplish this, we leveraged an excellent web proxy known as mitmproxy, built a front end to interface with it and created engines to automatically analyze the captured traffic to hilight security/privacy issues.
Scanning an application is as simple as pointing your phone to ZAP and using the application that you want to analyze - that's it. View the video below for a detailed walkthrough of the scanning functionality, but overall, it's a simple six step process as noted in the image below.
The video below provides a detailed walkthrough of all ZAP functionality.
We look forward to hearing your feedback on how we can continue to improve ZAP, so please take it for a test drive and let us know what you think. There are many mobile apps that expose users to security/privacy risks and to date, the app store gatekeepers aren't doing an adequate job of protecting end users from these threats. Using ZAP you can help analyze the ever growing list of mobile apps and reveal those that are putting users at risk.