With the development of the Internet, the prevalence of app applications, recently learned about the security test of mobile app, to WebView as the main application, standing in the angle of intrusion or attack, security hidden danger lies in the HTTP grab packet, reverse engineering.
At present, most of the app still go http or HTTPS, so anti-HTTP packet leakage of user information and the system itself is necessary, by grasping the package when you view a strange user information, some mobile phone number, QQ and other information should not be displayed on the page, but this information does not display does not mean that the server has not issued , a lot of client-side restrictions, through the capture package, can be fully viewable to unfamiliar users of the app. Again, such as a lot of posts, push message application, if there is no validation of the message validity, catch the packet after tampering with the message, the server has no response, this will leave a great hidden danger. Reverse engineering is good for Android to understand, decompile, modify, or insert your own code to achieve the desired purpose.
Security testing Strategy
1. User privacy
Checks whether the user password is saved locally, whether encrypted or not
Check for sensitive private information, such as chat history, relationship chain, bank account, etc. for encryption
Check whether the system files and configuration files are stored in plain text on an external device, and you need to determine whether the information has been tampered with before each use.
Locally stored data can look at the data in the app's sharedpreferences files and database files (after root in the app installation directory, or to see if sensitive data is written in the external storage).
2. File permissions
Check the directory where the app resides, and its permissions must not allow other group members to read and write
3. Network Transmission
Check whether sensitive information is encrypted in the network transmission, the important data to use TLS or SSL
HTTP requests are plaintext by default, and if the security authentication and encryption mechanisms are bad, the network sniffing scans are easily guessed and simulated, and may be injected.
4. Explain protection at runtime
For software with embedded interpreter, check for XSS, SQL injection Vulnerability
Use the Webiew app to check for URL spoofing vulnerabilities
5. Android Component Rights protection
Prevents the app's internal components from being called by any third-party program. If a component needs to be called externally, check to see if the caller has a signing limit
6. Upgrade
Check if the integrity and legality of the upgrade package has been verified to prevent the upgrade package from being hijacked
7. Apply your own security
Reverse the application and see if the post-compilation code has any sensitive information exposed. It is a great threat to the user and the developer that the code is modified and then repackaged after it has been inserted into the hijacked code.
Require encryption of the application, prevent static cracking, steal the source code, and then embed malicious viruses, ads and other behaviors to use the tool packaging, signing, forming two times packaging applications
8. Interface interception
Gain root access through the ADB shell command or third-party software, intercepting user-filled privacy information in the mobile interface and then acting maliciously.
For mobile applications, security testing occupies an increasingly important role in app testing, and the security of user information is also determining whether an application will succeed, not to mention mobile banking, which is highly valued by the financial securities app.
Analysis of security testing strategy for mobile app testing