Fuzzing the Android Applications with HTTP/HTTPS Network Data

Abstract

Nowadays, the number of mobile netizens continues to grow, mobile life continues to infiltrate people's lives. Mobile applications play an increasingly important role in major industries (financial consumption, travel, education, and entertainment). High dependence and complexity make network communication become an important attack surface of mobile applications. How to quickly and efficiently discover security threats in the process of network interaction has become an urgent problem. This paper proposed a test method based on network packets fuzzing for Android applications. The scheme uses middleman technology to obtain the interaction data sent by servers to applications, adopts different mutation strategies to mutate the original data of different types, returns the mutated response data to applications, uses log monitoring technology to monitor crash information, thereby discovers potential security threats. 10 popular applications were tested based on the proposed method, and four kinds of problems were discovered. The problems contain unresponsiveness, crashes caused by JSON data exception, HTML content replacement, and URL redirection. The results indicated that the proposed method was effective in exposing bugs of mobile applications in the process of network data interaction.