1. Like configuring a web application testing environment, ZAP and Burp Suite's CA certificates need to be installed on your jailbroken device to proxy HTTPS requests. This can be accomplished by adjusting the mobile device's proxy settings for Wi-Fi to point to the IP and port of your Burp Suite listener, as seen in the following screenshot:

The following screenshot shows how to configure proxy settings for iOS devices to point to your Burp proxy listener. In this case, my Burp proxy is listening on IP address 192.168.2.183 and port 8080:

2. Next, add the Burp CA certificate to the device by navigating to Burp's IP, and port with /cert as the URL path. In this case, Burp's address is http://192.168.2.183:8080/cert as shown in the following screenshot:

3. Once executed, iOS will ask whether you want to install a profile for Burp's CA certificate as seen in the following image. Select Install and HTTPS traffic can now be analyzed by Burp Suite.

The following screenshot shows HTTPS requests going through our Burp suite proxy from our mobile device.

4. Similar steps can be taken with an Android device. We will demonstrate how to set up ZAP's CA certificate. First, export ZAP's certificate by navigating to Tools | Options | Dynamic SSL Certificates. Save the certificate in a convenient location to be transferred over to the Android device:

5. The ZAPCert needs to be downloaded onto the Android device. There are several methods that can assist with fulfilling this requirement. A trick that is quick and handy for file transfer is using Python's SimpleHTTPServer. If you are using a Nix-based operating system, run the following command from the directory where the certificate resides:

$ python -m SimpleHTTPServer 1111

6. The Python webserver will now be running on port 1111. On your Android device, open a browser and navigate to your listening webserver. In this case, the address is http://192.168.2.186:1111 as seen in the following screenshot:

7. Download the certificate to the Android device. On the Android device, navigate to Settings | Security | Install from storage and the Download folder should appear, as shown in the following screenshot:

8. Select ZAP's certificate and name the certificate as shown in the following screenshot:

9. Navigate to your Wireless settings and modify the proxy settings to your ZAP proxy listener:

10. Navigate to the target IoT mobile application and observe HTTPS requests and responses populate ZAP's History tab:

11. Both the Android and iDevice are set up to proxy application requests and responses. With this access, parameters can be fuzzed for injection flaws (if testing has been authorized) and the app can be tested for business logic flaws. For example, proxying the request and responses while viewing a video from our target doorbell, we notice an access_token being sent as a URL parameter in a GET request directed to an MP4 of the video (CVE-2017-6085). Copying this GET request to our clipboard and pasting it into a browser allows access to download the MP4 video without a username or password, as seen in the following images:

12. The request is then copied to our clipboard:

13. Paste the URL copied to a browser and observe the auto download of the video doorbell event to your local computer:

Once the copied URL is requested in the browser, the browser should automatically ask where to save the downloaded video on your local computer:

The video is now downloaded as an .mp4 and can be viewed as seen in the following screenshot:

14. Remember, we did not input any username or password to download and watch this video. This shows that the doorbell manufacturer has access control issues for users and may indicate other holes in the product as well. For a video doorbell, accessing video feeds without credentials is a risk from a security and privacy perspective. Several vulnerabilities can be identified within this finding alone, which includes sending session tokens as GET requests, lack of token expiration, and insufficient access controls. An attacker may acquire the necessary access_token via social engineering or MITM techniques. Additional access control test cases can be performed with external user accounts as a follow-up to this finding.