@Benjamin Force the device to use your own custom proxy that you can then monitor all traffic through it. In android it would mean when connecting to wifi, choose advanced, then enter your own proxy and port.

On 10 February 2015 at 06:50, Gichuki John Chuksjonia via skunkworks <skunkworks@lists.my.co.ke> wrote:
Their domain is https://epayments.nairobi.go.ke/selfservice/login

i haven't checked SSL on them, but i wonder if it is, or even whether
they have tested security on them or have any form of security
standards.

On 2/10/15, Benjamin Muraguri via skunkworks <skunkworks@lists.my.co.ke> wrote:
> How are you able to tell whether a mobile app uses SSL? Even for say an
> email or banking app. For web applications, the URL gives it away, but for
> a mobile application, how can one tell whether data is being transmitted
> securely?
>
> On Tue Feb 10 2015 at 13:40:48 John K. via skunkworks <
> skunkworks@lists.my.co.ke> wrote:
>
>> Seems they may have patched the site, still waiting for a fix for the
>> app.
>> I'll keep checking, for now the previous advice remains. Do not use the
>> app
>> until they at the very minimum, enforce SSL.
>>
>>
>>
>> On a side note, can the devs explain why they are using a hard coded IP?
>> If the IP tomorrow is not available, all installed apps become useless?
>> Many users have no idea how to update apps, so, saying you'll force an
>> update is not an option.
>>
>>
>>
>>
>>
>>
>> On Monday, February 9, 2015, Allan O. via skunkworks <
>> skunkworks@lists.my.co.ke> wrote:
>>
>>> Looks like they've taken measures to resolve those issues?
>>>
>>> On Sat, Feb 7, 2015 at 3:23 PM, John K. via skunkworks <
>>> skunkworks@lists.my.co.ke> wrote:
>>>
>>>> Anyone know the dev's of the Nairobi County App at JamboPay? Need to
>>>> notify them of some serious security concerns in their app. Seroius to
>>>> the
>>>> point that I won't use the app until they are patched.
>>>>
>>>> And if anyone on this list uses it, please don't use the same PIN you
>>>> use for other secure services like Mpesa, atm etc until these issues
>>>> are
>>>> patched.
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> skunkworks mailing list
>>>> skunkworks@lists.my.co.ke
>>>> ------------
>>>> List info, subscribe/unsubscribe
>>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
>>>> ------------
>>>>
>>>> Skunkworks Rules
>>>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
>>>> ------------
>>>> Other services @ http://my.co.ke
>>>>
>>>
>>>  _______________________________________________
>> skunkworks mailing list
>> skunkworks@lists.my.co.ke
>> ------------
>> List info, subscribe/unsubscribe
>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
>> ------------
>>
>> Skunkworks Rules
>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
>> ------------
>> Other services @ http://my.co.ke
>


--
--
Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P
I.T Security Analyst and Penetration Tester
jgichuki at inbox d0t com

{FORUM}http://lists.my.co.ke/pipermail/security/
http://chuksjonia.blogspot.com/

_______________________________________________
skunkworks mailing list
skunkworks@lists.my.co.ke
------------
List info, subscribe/unsubscribe
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
------------

Skunkworks Rules
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
------------
Other services @ http://my.co.ke