A penetration tester is evaluating the security of a new mobile banking application. Upon reviewing the app's architecture, the tester discovers that the application is using an outdated third-party library known to have critical vulnerabilities that could lead to remote code execution. Before reporting this finding, the tester seeks to validate the vulnerability. Which of the following steps should the tester take to confirm the vulnerability?
Scan the application with a generic mobile vulnerability assessment tool to identify all possible weaknesses.
Analyze public vulnerability reports of the outdated library to create a proof-of-concept exploit confirming the issue.
Intercept traffic between the mobile application and its backend services to identify information leaks.
Modify the app source code to patch the library and observe changes in the app's behavior during runtime.