First, the Safety Test Basic classification: 1, the system security system strengthens the security reinforcement: for example Linux shuts down the Telnet port, Modify the SSH port to detect unnecessary services (need to uninstall a ping)--to ensure the minimum set of system app security Hardening: Add a layer of shell patch message middleware: ACTIVITYMQ,RABBITMQ,SAFMQ (Close page, non-service port, default user) Firewall rules (iptables) Antivirus 2, Application security (installation package, service, business)----User (people and services) password, sensitive information (1) Black-and-white list (ip:port)----access Control (2) message plane: Data encryption and signing (3) encryption algorithm security (symmetric, Asymmetric) 3, Management security business level: for the general user management level: Management node to create a virtual machine (management of resources, virtual machine to provide business after the creation of a successful service) operational level: operational aspects of the business: for administrators (online, offline) 4, network security: Focus on data transmission security (source and purpose) , whether encryption, detection of data correctness and consistency (with or without forgery) (transmission)----encryption (HPPTS+SSL) is not the focus: processing data consistency after packet loss (UDP) 5, cloud Security test a user-security group AB user-security Group B (1) A into B, or add B to a (2) rule: a->b (IP/UDP/ICMP) b->a single-pass security: 1, hardware firewall, switch 2, software II, app Local Service security testing problem 1:app current status, What security classes are encountered 1, remote control (Trojan) 2, malicious promotion (paid) 3, plug-in (backdoor) 4, sensitive, private information is stolen 5, local process injection (four components do not have permission control) 6, fishing (Piracy of applications) account security file security: The minimum set of file permissions, Whether files need encryption, desensitization processing (Big Data cleansing) Payment security: Account security, log security (user information disclosure), data storage (encrypted storage), secure encryption algorithm process security: Stateful resource monitoring, process management, Whether the script is safe for file storage: Four components of the app security (Drozer tools) activity: life cycle, service mechanism need to grasp the start, recovery, stop, complete and other state switching Service:context provider:broadcast: one on one , many-to-many 1, install package Security 1.1 whether the installation package can be deserialized apk-->dex--> run anti-compilation:dex->java-> anti-compilation (user/pwd/ Password and other sensitive information) code: (1) User sensitive information hard-coded (2Code obfuscation for languages that support reflection, code obfuscation may conflict with reflection. Code obfuscation does not really prevent reverse engineering, only to increase its difficulty for security requirements are high, the use of only code obfuscation does not guarantee the security of the source code. (3) code scanning (fortify) Fortify SCA is a static, white-box software source code security Testing tool, which uses the built-in five main analysis engine: Data flow, semantics, structure, control flow, configuration flow, etc. In the process of analysis and its unique software security vulnerability rule set to fully match, find, so that the source code exists in the security vulnerabilities scanned, and give a collation report. 1.2. Whether the installation package has a signature (1) verifying the signature using the correct key before publishing (2) using the command: Jarsigner–verify–verbose–certs apk package path validation result: Jar verified 1.3, Whether the installation package is complete or not: (1) Release Platform download installation package (2) Install package integrity check: generally use MD5 check mode, through the MD5 tool and MD5 key for verification such as the app download after the integrity check 1.4, Permissions issue authentication mechanism requested in the installation package: Android--manifest.xml See the permissions of each component to check the permissions of the app application, query the application permissions in the Android project's Androidmanifest.xml file, remove unnecessary permissions, such as user targeting /contacts/information and other permissions, keep the app available permissions to  2, floppy disk hijacking (1) Security issue: User installed third-party untrusted keyboard Input method when it comes to privacy or financial You need to apply a validation hint to a class operation (2) Recommendation: Use a soft keyboard that should be provided on-the-phone for regular virus scanning 3, account security (most important) account classification: User account (Administrator, normal user), service account (the interaction between multiple services requires the use of a password) docker ( Various services, communication may be through message building, configuration file---ip/port/user/password) hardware account (Hardware dynamic Library) (1) whether the password is stored in plaintext (Database/ Configuration file) (2) whether the password encryption algorithm is secure (3) whether the password encryption transmission (4) is supported by the Account lockout policy---3 times, the fourth lock (5) whether to support multi-point login (6) can not access after logging off (session, Whether or not cookies are deleted) (7) Account Authority control (vertical and horizontal ultra vires) Vertical ultra vires: A low-level attacker who attempts to access a high-level user's resources horizontal authority: An attacker attempting to access resources for a user who has the same rights as his or her (between different departments or companies) (8) Password security requirements (length , characters, numbers) &nbsP;4, File Security (1) file permissions Dwrx 0,0,0 read, write, execute users, this group, other groups according to business needs to give the file minimum permissions (2) file content sensitive information (user name, password), encryption method, The security requirements for encryption include information about user names and passwords that are provided externally, as well as authentication information for intra-program interactions: Passwords that need to be met cannot be plaintext, and require secure cryptographic algorithms for cryptographic configuration, password length and format to meet security requirements File upload and download: Do not desensitization processing (hospital upload documents) encryption integrity Check (hash value check) file storage 5, log security (1) Business log----Transaction serial number, the process of trading (2) system internal interaction Log a--->b---- >c records the entire interactive process Debug/interface/run/securitylog.debug (message.tostring ())----Print all the information (3) Statistics/audit Log---System entry records the number of messages received per minute (4) Key considerations: Storage of sensitive information (password, etc.) (5) Log management Platform: Collection of various systems in the log log can not print password information, the log can not print user privacy information, need to have security log function, log needs to have a cleanup mechanism; Log security testing means: Write your own scripts to scan log files (user/pwd/password/username/userpwd) Shell/python/search tools 6, Process security 1, Startup (1) Permissions issue: Win10 often encounters itself running EXE reports without permission generally using normal user startup services Linux: Cannot use the root user to start the service in start.sh to determine only the current user startup (2) Data problems during startup (sometimes the process starts with a temporary file, you need to consider whether the temporary file is related to security information) during the boot process the temporary files need to be removed (3) The external port is started on the business network after the boot is completed, Internal port start on the local network port start mechanism problem: the current port has any security risks 0.0.0.0 full network monitoring, the intranet will be accessed by the external network to 2, Run (1) The cache information in the process involves privacy needs to be encrypted (2) need to log the run log (3) running process need to have monitoring certification running monitoring: VCS/HACS----provide the Guardian service (4) The interaction between multiple processes requires authentication 3, Stop (1) Clean temporary files (2) Secure Disconnect related connection 7, data storage/File storage security Features: Data integrity, data backup, fault tolerance and redundancy ai--machine Learning (1) Importance of data---confidentiality, integrity, anti-loss purpose: protection machineData integrity python Crawler: Statistics from 10 to present singers ' songs: A: How many singing seasons, spring, summer, autumn, Winter B: How many songs of the city, Chengdu, Beijing, Shanghai ..... Generate a report (2). Data media (Hardware) Media: Single file, database, file server, cache service database functionality: Data integrity data storage: Encrypted storage access control monitoring mechanism (service monitoring, data monitoring) Backup recovery (3) database security DCL DDL DML Database scanning--ngssquirrel (globally recognized database scanning software)/databasescanner code security: Scan (fortify)
App Local Service security test
