App Security Testing Overview

Directory

First, the installation package test

1.1, about the anti-compilation

1.2, about the signature

1.3. Integrity Check

1.4. Permission setting check

Second, sensitive information testing

Third, soft keyboard hijacking

Iv. Security of Accounts

V. Data Communication Security

VI. Component Safety Testing

Seven, the service side interface test

First, the installation package test

1.1, about the anti-compilation

The aim is to protect the company's intellectual property and security concerns, and some program developers will hard code some sensitive information, such as passwords, in the source code. And if the program inside some poorly designed logic, may also be hidden loopholes, once the source code leaks, security risks huge.

In order to avoid these problems, in addition to code audit, usually developed is to confuse the code, confusing source code through the anti-software generated code is very difficult to read, in the test, we can directly use the Anti-compilation tool (Dex2jar and Jd-gui tools) to view the source code, to determine whether the code confusion, Including the obvious sensitive information.

1.2, about the signature

iOS doesn't have to be considered, as app Stroe will be verified. However, Android does not have such authoritative checks, we have to check the signature before publishing the correct key is used to prevent malicious third-party applications to overwrite the installation and so on. You can use the following command to check:

Jarsigner-verify-verbose-certs APK Package Path

If the result is "jar verified", the signature checksum is successful.

1.3. Integrity Check

To ensure that the installation package does not occur during the completion of the test into the final delivery process due to the problem of the content of the file corruption, the installation package needs to be checked for integrity, the general practice is to check the MD5 value of the file, and generally can be verified by automation.

1.4. Permission setting check

The general user is sensitive to their privacy issues, so we need to check the need for certain permissions for the app, such as accessing the Address book. For the lack of necessary permissions, it is generally recommended to develop a direct support.

Android: Check the manifest file directly to read all the permissions required by the app, and verify that this permission is required in conjunction with the requirements. Changes to the manifest file also need to be focused and evaluated before new permissions are added.

iOS: There is no similar manifest file to view, iOS user rights only when users use the app to use the permissions, the system will not pop up the prompt box, prompting the user the current app needs to access photos, contact list and other components. We can scan the code to see what permission settings are in the project engineering. By searching for key class names, such as contacts, you typically need access to abaddressbookref, photos are Uiimagepickercontroller, and so on. If it is a pure black box test, you must overwrite all code paths to ensure that there are no omissions, or you can use code coverage tests to determine whether to overwrite.

Second, sensitive information testing

Whether the database stores sensitive information, some applications will keep the cookie class data in the database, once this data is acquired by others, may cause the user account is compromised and other serious problems, in the test after running a test case containing database operations, we can directly view the data in the database, Observe if sensitive information is stored. In general, these sensitive information needs to be removed by the user after the logoff operation. If it is a cookie class data, it is recommended to set a reasonable expiration time.

The log is sensitive information, general development in the process of writing a program will be added log help height, all may write some sensitive information, usually the app's release version will not use the log, but also do not exclude special circumstances.

The configuration file has sensitive information, similar to the log, and we need to check whether the configuration file contains sensitive information.

Third, soft keyboard hijacking

If the user installed a third-party keyboard, there may be hijacking situation, we can do in some particularly sensitive input places to check, such as the Financial app login interface user name password input box, to see if support for third-party input method, generally recommended to use the soft keyboard in the application.

Iv. Security of Accounts

4.1, the password is stored in the background database, in the review and testing need to pay attention to the storage of passwords.

4.2, password transmission is encrypted, testing we need to see if the password is transmitted in plaintext, if it is an HTTP interface, we can use tools such as Fiddler to view directly.

4.3. Account lockout policy. If the user enters the wrong password too many times, whether the account will be temporarily locked, to avoid being violently cracked,

4.4. Simultaneous session status. Some apps have a notification function for simultaneous sessions so that at least the user's knowledge of his account may have been compromised. To some extent, the user experience can be waived.

4.5, the cancellation mechanism. After the client logs out, we need to verify that any interface calls from that user that require authentication will not succeed.

V. Data Communication Security

5.1, whether the key data is hashed or encrypted. Passwords must be encrypted in transit, and other sensitive information needs to be hashed or encrypted before they are transmitted, so as to avoid being exploited by intermediate nodes.

5.2. Whether the critical connection uses secure communication, such as HTTPS. After knowing the interface design we need to evaluate whether the content contains sensitive information, and if secure communication is not used, we need to know to develop the modifications.

5.3, whether to verify the legitimacy of the digital certificate. Even with secure communications, such as HTTPS, we need to validate server-side certificates in client code. The Fiddler tool can be used to simulate a man-in-the-middle attack method. There is a security risk if the client can invoke the Fiddler certificate without checking it properly.

5.4, whether to verify the legitimacy of the data. In some cases, we need to have a way to ensure that plaintext data issued by the server is not tampered with. Usually the development side is implemented by digitally signing the data and verifying it on the client . We can simulate back-office return for relevant testing work. In addition, for other interfaces where the client does not perform data validation, we also need to consciously think about whether it will cause problems if the checksum is not performed and return the validation by simulating the background.

VI. Component Safety Testing

This mainly refers to whether the various components of the Android platform can be externally applied malicious calls resulting in a number of security issues. Includes activity, Service, ContentProvider, broadcast, and so on. The test method used is to view the official documentation by using the Drozer tool in conjunction with the way you view the code.

Seven, the service side interface test

Focuses on whether the server interface has the following issues

7.1. SQL injection

7.2. XSS Cross-site scripting attack

7.3, CSRF Cross-site request forgery

7.4. Unauthorized access

In addition to the above service-side issues, we also need the actual requirements, design and code, to analyze whether the requirements or design itself will bring security issues.

For example: For a shopping application, the process of placing a single place consists of two interfaces, and interface a returns the order details, which includes the order number and the total price of the amount. After calling interface A, the user sees an order page on the client. After the user clicks on the commit to call interface B, the client passes the parameter of interface B to the order number and the total price returned by interface A, the backstage of interface B is deducted from the user's account according to the total amount passed to interface B, and the payment is made according to the order number when the debit is successful.

What's wrong with this design? That is, interface B fully trusts the total amount of incoming money from the client without verifying it. Malicious users can call interface B directly, passing in forged amounts and real order numbers, so they can shop at a cheap price.

Appendix

1. Software permissions

1) The risk of deduction: including text messages, telephone calls, network connections and so on.

2) Privacy disclosure risk: including access to mobile phone information, access to contact information and so on.

3) Check the input validity of the app, authentication, authorization, data encryption, etc.

4) Restrict/allow access to the Internet using mobile phone function

5) Restrict/allow use of mobile phone to send receive information function

6) Restrict or use local connections

7) Restrict/allow use of mobile phone photo or recording

8) Restrict/allow use of mobile phone to read user data

9) Restrict/allow use of phone to write user data

10) Restrict/Allow application to register auto-start Application

2. Data security

1) When a password or other sensitive data is entered into the application, it is not stored in the device and the password is not decoded.

2) The password entered will not be displayed in clear text.

3) Passwords, credit card details, or other sensitive data will not be stored in their pre-entered locations.

4) The individual ID or password length of the different applications must be at least between 4-8 digit lengths.

5) When the application processes credit card details or other sensitive data, the data is not written in clear text to other separate files or temporary files. To prevent an application from terminating unexpectedly without deleting its temporary files, the file may be attacked by the intruder and then read the data information.

6) Party building sensitive data is not stored in the device when it is entered into the application.

7) Applications should consider either user-prompted information or security warnings generated by the virtual machine

8) The application should not ignore user prompts or security warnings generated by the system or virtual machine, nor can it deceive the user by displaying misleading information before the security warning is displayed, and the application should not impersonate a security warning to mislead the user.

9) Before the data is deleted, the application should notify the user or the application to provide a "cancel" command operation.

10) The application should be able to handle situations where the application software is not allowed to connect to personal information management.

11) When you perform a read or write user information operation, the application will send the user an error message.

12) Do not damage the deletion of any content in the personal information management application without the user's explicit permission.

13) If important data in the database is being rewritten, the user should be notified in time.

14) can reasonably deal with the errors that occur.

15) Unexpected circumstances should prompt the user.

3. Communication security

1) in the process of running the software, if there is a call, SMS, Bluetooth and other communications or charging, whether it can suspend the program, the priority of processing communications, and after the processing is completed to resume the software normally, continue its original function.

2) When the connection is established, the application can handle the interruption of the connection due to the interruption of the network connection.

3) should be able to handle communication delay or interruption.

4) The application will remain working until the communication expires, giving the user an error message indicating that there is a link error.

5) should be able to deal with network anomalies and timely notify users of anomalies.

6) The application shuts down when the network connection is no longer in use should be closed and disconnected.

4. Human-machine Interface safety test

1) The return menu should always remain available.

2) command has priority order.

3) Sound settings do not affect the ability to use the program.

4) The application must be able to handle unpredictable user actions, such as wrong actions and pressing multiple keys at the same time.

App Security Testing Overview