Android App Security Test basics

<span id="Label3"></p><p><p>Learn the cow experience, combine your own tests, do a simple summary:</p></p><p><p><span style="font-size: 16px;"><strong>Brief introduction:</strong></span><br>Android app security testing currently covers the following areas:<br>1) safety of its own components<br>2) Local Sensitive data protection<br>3) Web Interface Security<br><br><strong><span style="font-size: 16px;">one, the security of its own components</span></strong><br>currently, manual, open source, or free tools can detect such vulnerabilities.<br>Open Source Tools Recommendation: Drozer<br>Free Tools Recommended: 360 catch the worm hunter, Love encryption, Ali Poly Security</p></p><p><p><br>of course, the scan results and vulnerability Scan results, there is false positives, need to be excluded by the Tester.<br>For example, in Figure 360, "service component exposure" false positives:</p></p><p><br>But in fact, in androidmanifest.xml, the relevant permissions have been declared:<br><br><uses-permission android:name= "android.permission.INTERNET"/><br><uses-permission android:name= "android.permission.ACCESS_NETWORK_STATE"/><br><uses-permission android:name= "android.permission.ACCESS_WIFI_STATE"/><br><uses-permission android:name= "android.permission.READ_PHONE_STATE"/><br><uses-permission android:name= "android.permission.GET_TASKS"/><br><uses-permission android:name= "android.permission.VIBRATE"/><br><permission android:name= "com.xiaomi.mipushdemo.permission.MIPUSH_RECEIVE" android:protectionlevel= "signature "/><br><!--here Com.xiaomi.mipushdemo change to App package name---<br><uses-permission android:name= "com.xiaomi.mipushdemo.permission.MIPUSH_RECEIVE"/><br><!--here Com.xiaomi.mipushdemo change to App package name---<br><br><span style="font-size: 16px;"><span style="font-size: 16px;"><strong>second, Local sensitive data protection</strong></span></span><br>Sensitive data set in login authentication information and important business data<br>If you do not store sensitive data locally, but instead rely on the web to get it from the server side, this part of the test can be skipped.<br>If sensitive data is stored locally, the test process is mainly divided into: find storage location and decrypt data</p><p><p><br><span style="color: #ff0000;"><strong><span style="font-size: 14px;">Testing Process:</span></strong></span><br><br>one hand<br>1, install the relevant app on the simulator or the development machine<br>2, The root Explorer and other tools to analyze the installation directory (/data/data/package Name) and data storage directory (/android/data/package name), looking for possible sensitive data files<br>3. Try to open a sensitive data file using tools such as Sqlitebrowser<br><br>On the other hand<br>1, anti-compilation app, Analysis Source code<br>2, analyze the data stored procedures, get the data storage path and possible password information<br>3. Try to open a sensitive data file using tools such as Sqlitebrowser<br><br>In addition, you can also look for possible log files, which may also have potentially sensitive Data. In particular, it was discovered in the previous process that Logcat could disclose program privacy information and sensitive Information.<br><br><span style="font-size: 16px;"><strong>third, Web Interface Security</strong></span><br>This section is consistent with web App security Testing. The complexity is highly dependent on the App's business Functions.<br>Common security vulnerabilities are consistent with Web application security Vulnerabilities.<br>In addition, you need to focus on logical vulnerabilities: login security policy is inconsistent with master, privilege elevation (unauthorized Access or operation), etc.</p></p><p><p><br><span style="color: #ff0000;"><strong><span style="font-size: 14px;">Testing Process:</span></strong></span></p></p><p><p><br>1, install the relevant app on the simulator or the development machine<br>2. Get Web Access path through agent tools such as Burpsuite<br>3. Scan the Web Access path for vulnerability<br>4. Manual testing of the Web Access path<br><br></p></p><p><p>Android App Security Test basics</p></p></span>