Create a lightweight, standalone testing environment for ad hoc testing of websites, apps, or any service that connects to a wireless internet connection.
- a quick test is needed to get an overview of how a service works;
- a quick test to see if more detailed analysis/examination is warranted;
- a more detailed review of a smaller number of apps or services;
- fast, time sensitive analysis using reliable tools in a controlled environment;
- a training or teaching kit on how online and in-app tracking works;
- Laptop with wireless card and an ethernet connection (or a Raspberry Pi): NOTE: some laptops don't need the ethernet connection, but I find the ethernet connection alongside the wireless card to be a slightly cleaner setup for testing
- Optional: Android or iOS phone (no SIM card required) - used for testing mobile apps.
- Optional: other devices for testing (needs exploration to see if/where this breaks)
The steps described here will create a laptop with a few special features designed for testing and review:
- The laptop functions as a wireless access point; devices connect to it, and all internet traffic is routed through it.
- Because all traffic is routed through it, this provides a convenient way to observe the traffic from the devices that connect to it.
- Because you (the tester) control both the Access Point and the devices connecting to it, you can limit the connections running through the system at any point in time; this creates a controlled and less noisy testing environment.
https://help.ubuntu.com/community/Installation/FromUSBStick
Post Install:
sudo apt-get update
sudo apt-get upgrade
python3 -V
sudo apt install -y python3-pip
sudo apt install build-essential libssl-dev libffi-dev python-dev
Optional - more information: https://www.digitalocean.com/community/tutorials/how-to-install-python-3-and-set-up-a-local-programming-environment-on-ubuntu-18-04 or https://www.digitalocean.com/community/tutorials/how-to-install-python-3-and-set-up-a-programming-environment-on-an-ubuntu-20-04-server
sudo apt install git
Optional - more information: https://www.digitalocean.com/community/tutorials/how-to-install-git-on-ubuntu-18-04
Install Wireshark: sudo apt install wireshark
Configure Wireshark to not require admin rights to run: sudo usermod -aG wireshark $(whoami)
Optional - more information: https://linuxhint.com/install_wireshark_ubuntu/
Install Zenmap and nmap: sudo apt-get install zenmap -y
OWASP ZAP requires Java to run; the install process for ZAP includes installing Java.
https://www.zaproxy.org/download/ - download Linux Installer
Switch to the "Downloads" directory: cd ~/Downloads/
Install Java: sudo apt install openjdk-8-jdk
Install ZAPsudo bash ./ZAP_2_9_0_unix.sh
The command above installs ZAP at:
/usr/local/zaproxy/zap.sh
/usr/local/bin/zap.sh
(or: find / -iname zap.sh | less
)
To make it easier to run ZAP, create an alias:
Create and open the standard location to hold custom aliases: gedit ~/.bash_aliases
Set the alias as: alias zappy='/usr/local/bin/zap.sh'
Restart the computer; then, you will be able to start ZAP by opening up a terminal (via "Ctrl-Alt-t") and typing zappy.
https://mobsf.github.io/docs/#/requirements
Before creating an access point, test your ability to browse the web via both Tor and Firefox. This is pretty perfunctory, but it's a good check.
Check your IP address with both browsers: https://www.iplocation.net/find-ip-address
These instructions describe how to configure your machine to work as an access point: https://vitux.com/make-your-ubuntu-pc-a-wireless-access-point/
Once you have set up the computer to serve as an access point, put your phone in airplane mode, and then turn on your wireless. Connect to the newly created access point, and browse the web, check email, open an app, open Google Maps, and all should work normally.
https://thatoneprivacysite.net/choosing-the-best-vpn-for-you/
Make sure to choose a VPN that has servers located throughout the US, and internationally. This will allow for testing that looks for differences in state law, and international privacy law.
Testing without a VPN is NOT RECOMMENDED; among other reasons, many adtech companies profile based on IP address.
Once you have installed and selected a VPN, connect through it.
Test your ability to browse the web via both Tor and Firefox. Check your IP address with both browsers: https://www.iplocation.net/find-ip-address
This time, when checking your IP address via Firefox, your location and IP address should reflect the information from your VPN.
The process of creating testing personas is outside the scope of this document, but all testing should be done with an email designed for this purpose. In general, create a dummy GMail account. For general testing purposes, this account can be backstopped to an account tied to your actual identity, although a purist would be accurate in saying that additional steps should be taken to provide additional layers of separation between all test personas and your actual identity.
If any service you are testing requires a location, be sure to choose a physical location that corresponds with a server location supported by your VPN. In other words, if your VPN has servers located in San Franciso and Los Angeles, pick either one of these cities. Then, when connecting via your VPN, make sure to select a server in the corresponding location.