App Security Test Beginner

Analysis Method:
Static analysis

The main use of Apktool, Dex2jar, Jd-gui, Smali2dex and other static analysis tools to decompile the application, and the anti-compiled Java files, XML files and other files for static scanning analysis,
Through static methods such as keyword search, the code with security hidden danger is extracted and entered into the background of the detection platform, which provides data basis for the subsequent security inspection report.

Dynamic analysis

The dynamic analysis technique is the behavior monitoring and analysis of the application software installation and operation process. The methods of detection include sandbox model and virtual machine mode.
(1) Sandbox model through the establishment of a safe sandbox model, so that the implementation of mobile application environment is a closed sandbox, not affected by the environment outside the sandbox, combined with the traditional PC sandbox model theory analysis and research, to get appropriate to the mobile phone sandbox model.
(2) Virtual machine mode by establishing a virtual execution environment almost the same as the Android mobile terminal software operating environment, the mobile phone application software runs independently, observing the execution and dynamics of the application from outside, and then recording the malicious behavior that the application may show.

Manual analysis
Artificial analysis technology is a professional security personnel to receive the user submitted to the application for detection, the first to install, run and trial, through in the trial process, gradually grasp the characteristics of the application, and through their own professional experience, to delimit the detection focus.
The manual professional testing, which covers all the testing items of basic detection and deep detection, takes into consideration the focus of testing, giving a tailor-made testing service that is more comprehensive, professional and fit for application.

Primary Test points:
1. User privacy

• Checks whether the user password is saved locally, whether encrypted or not
• Check for sensitive private information, such as chat history, relationship chain, bank account, etc. for encryption
• Check whether the system files, configuration files are saved to the external device in plaintext
• Some information that needs to be stored on an external device requires that the information be tampered with before each use

2. File permissions

• Check the directory where the app resides, and its permissions must not allow other group members to read and write

3 . Network communication

• Check whether sensitive information is encrypted in the network transmission, the important data to use TLS or SSL

4 . explain protection at runtime

• For software with embedded interpreter, check for XSS, SQL injection Vulnerability
• Use the Webiew app to check for URL spoofing vulnerabilities

5. Android component rights protection

• Prevents the app's internal components from being called by any third-party program.
• If a component needs to be called externally, check to see if the caller has a signing limit

6 . Upgrade

• Check if the integrity and legality of the upgrade package has been verified to prevent the upgrade package from being hijacked

7    . 3rd Library

• If you use a third-party library, you need to follow up with updates to third-party libraries

Primary test methods:

1. Interface Test:

The test is a networked Android application, which encapsulates a series of Web application operating interfaces, and the actual test is no different from regular web security testing.

Just because of the actual insecure WiFi environment, for mobile app call Web interface, involving sensitive user information, including user name, password, micro-blog GISD, etc. using HTTP plaintext transmission, will cause more serious information disclosure.

2. Component testing:

For Android component testing, it involves the apk disassembly of some knowledge, I mainly use the tools have Xiaomi apk change and Drozer, through these two gadgets to decompile apk is very convenient drop. The components of our safety test include WebView,

And Android four components activity, Service, broadcast Receiver, Content Provider;

　　The way to test webview is to use the method published in the Cloud Repository, decompile the apk file, use the Xiaomi apk change or Apktool to decompile the Smali assembly, and then find Addjavascriptinterface to test the export interface. , under normal circumstances,

You can directly use the black box test method, which lets the app access: black box test; You can also view the cloud Knowledge base for a typical vulnerability detail about webview.

　　Test four components can use Drozer This tool, Drozer enumeration of the APK components are obtained androidmanifest.xml inside the declaration, so not very comprehensive, for the program code inside the dynamic creation of drops,

Still need to decompile to see Smali code, or restore Smali into Java code, of course, the restored Java code is also Jd-gui based on the generated Smali automatically generated, there is a certain difference.

3. Test broadcast Receiver:

First look at the mobile phone Baidu use receiver components, as follows:

Here is Com.baidu.searchbox.story.DownloadStoryReceiver this receiver component, the receive is listed here mainly because Androidmanifest.xml exists the following code

<receiver android:name= ". story. Downloadstoryreceiver "android:exported=" true ">

Android:exported= "true" means that you can receive external broadcasts because a look is to download, then follow this class inside, view the OnReceive processing method, directly view the restored Java code, has the following fragment:

Public void OnReceive (Context paramcontext, Intent paramintent) {this.b=Paramcontext; THIS.D= Paramintent.getstringextra ("Download_url ");THIS.C= Paramintent.getstringextra ("display_url ");if ((Textutils.isempty (THIS.D)) | |      (Textutils.isempty (THIS.C))) if (g) log.e (H,"Invalid param! Download_url or display_url cannot be empty. ");While (true) {return; StringSTR1 = Paramintent.getstringextra ("filename ");this.f= ("content-disposition "," attachment; filename= "" + str1 + "" ");... .............

So you can send the broadcast test directly:

Then can see the mobile phone Baidu will jump to http://tea504.sinaapp.com this address, and background download http://tea504.sinaapp.com/xss.js address Xss.js file, saved locally as test.xxx

4. Test Content Provider:

This is responsible for data storage, using the SQLite database, basically there is SQL injection, generally can be called by the outside is very dangerous, see Androidmanifest.xml Existence code:

<provider android:name= ". Bookmark. Bookmarkprovider "android:writepermission=" Com.baidu.permission.write_bookmark "android:exported=" true "Android: authorities= "Baidusearch_bookmark"/>

Again android:exported= "true", and only limited the writepemission permissions, so can malicious app or can get this read this database information, Baidusearch_ The bookmark record is the user browsing history and bookmarks, as follows:

This is the data from the/DATA/DATA/COM.BAIDU.SEARCHBOX/DATABASES/SEARCHBOX.DB database on my phone,

You can then access this URI to get the data test, as follows:

If the first SQL statement was incorrectly written, prompt an error. The second time can be successfully queried

Of course, for this kind of component security, you need to use malicious app to attack.

App Security Test Beginner