At this stage, we have statically analyzed and assessed how data is stored within example IoT mobile applications. We have yet to view the API traffic sent between the application and server. Viewing and tampering with application communication at runtime is known as dynamic analysis. Dynamic analysis testing focuses on evaluating an app during its execution. Dynamic analysis is conducted both on the mobile platform layer as well as against the backend services and APIs of mobile applications, where requests and responses can be analyzed. In this recipe, we will set up a dynamic analysis testing environment for iOS and walk you through some test cases.
For this recipe, Burp Suite and/or OWASP ZAP will be used to observe application communication. Access to both an iDevice and an Android device is also needed to perform this recipe. The iDevice and Android device do not have to be jailbroken or rooted, which is the nice part of viewing app communications...