Cloud Security -

Video walkthrough of setting up ZAP tool for Android:

  1. Installation
  1. Download ZAP from here.
  2. Install and open ZAP        

  1. Installing certificate

Since all requests and responses are proxied by ZAP, the certificate verification will fail for sites using SSL (HTTPS) and the connection will be terminated. To prevent this from happening, ZAP generates an SSL certificate for each host, signed by its own Certificate Authority (CA) certificate. This CA certificate is generated the first time ZAP is run, and is stored locally. To use the ZAP Proxy with these websites, you will need to install ZAP’s CA certificate as a trusted root for your device.

  1. Go to Tools>Options>Dynamic SSL Certificate. Click Generate and then click Save.
  2. Save the certificate in the desired location. Make sure the file has a .cer extension
  1. Send the certificate to the android device (This could be done via email)
  2. Upon receiving the certificate, click on it to open the certificate.

  1. Give the certificate a suitable name. For credential use, select “VPN and apps”. Click OK.

  1. Configuring Proxy

  1. Connect your laptop/PC to a known Wifi network (A dedicated router works best.)
  2. In the ZAP UI, go to Tools>Options>Local Proxy
  3. Set Address as Blank
  4. Set port number to a port of your choosing (preferably 8080)

  1. Find out the IP address of your laptop/PC (Type ipconfig in the command line for windows, ifconfig in terminal for mac/linux)
  2. On your Android device go to Settings>Wifi
  3. Connect to the same network as your laptop/PC.
  4. Touch and hold the wifi network.
  5. Select modify network.
  6. Tick the checkbox “Show advanced options”
  7. Set the Proxy to Manual
  8. Type the laptop/PC’s IP address in Server field, and the port number as selected earlier (8080). Leave the rest of the settings as default.

  1. Click Save.
  2. Open any SSL website in your android browser and make sure the site shows up below Sites list in ZAP

Next: Running the Scan