Some of my personal summaries
1.web attack the most important way of attack, another article detailed description;
In fact, the attack against the main or service side, after all, to get the client more data users are not big;
2. Using an Insecure interface Many of the interfaces open to the outside access-resulting in no need for verification can be queried (crawler data), even update, delete operations; Check the IP address of the client, addip/Domain nameBlack and white list. Set IP blacklist on external environment, set ip/domain name whitelist for internal environment;using the upper level serviceDetect parameter information in the incoming request: b parameter, c parameter, login information, token; Use non-encrypted request parameters;
The use of HTTPS is not correct (do not understand ...). );
Use the Grab Kit tool to/http the Debug tool and tamper with the request;
3.android/ios Document Directory Permissions open note Do not have open access/modify permissions of the file;
Android static files in the string to be encrypted, to prevent tampering;
To verify the request issued, only the request for the specified domain name can be issued (Android, iOS has a ready-made method, can be found on the official website);
Local file (Share Preferences, etc.)/database as far as possible not to store data, storage data must be encrypted;
4. Android root, IOS jailbreak elevation access to privacy data detection if it is root or has escaped, prohibit the start;
Note that some third-party tools can hook the method of detecting jailbreak or root;
5.SO file, dex file reverseimportant code exists in so;
Packers, using a third-party packers tool;
Code obfuscation (better than nothing);
6. Outdated encryption methods obsolete MD4, MD5, etc., can't remember, the online decryption tool is very mature (CMD5) Do not define a new encryption rule by yourself (local can be cracked)
Recommended 3DES, RSA (client pay is often used), there is a kind of forget ...
7. Insecure login information is kept too long (also depends on business requirements, maintain a compromise plan)
Bug that verification code is too long and validation code remains valid
8. The interface and site links are poorly named, and attackers directlyViolent collision/crash LibraryChange link name check access IP, auto join (temporary) blacklist
9. When the user skips the authentication beta test, pay attention to the design of the test case;
Using the tool ADB to invoke activity directly, testers design relevant test cases in beta testing (not only that, after the use of ADB direct activity, you can set parameters to initiate special requests for SQL injection and other attacks);
10. Print the debug information in the test to Logcat strict control test, debug information sent to the line, the debug portal must be closed at the time of publication, limit the level of the log, testers must be aware
From for notes (Wiz)
Mobile Internet Security Related information
