App Security Testing

1. Install package test

(1) Ability to decompile code (source code leak problem):

Development: Confusing code; testing: Using the Anti-compilation tool to view the source code, whether code confusion, including the obvious sensitive information

(2) Whether the installation package is signed (iOS heavy app has a formal release certificate signature, do not have to consider): need to verify before publishing that the key used by the signature is correct, in case of malicious third-party application overwrite the installation

(3) Integrity check: Checking the MD5 value of the file

(4) Permission setting check (Add new permission needs to be evaluated): Android Check all permissions required for manifest file read app

2. Sensitive information Testing

(1) Whether the database stores sensitive information: it is necessary to understand the meaning of each database field and evaluate the possible security problems; After running a test case that contains database operations, we can view the data in the database directly and see if any sensitive information needs to be deleted after the user has logged off the operation. If the division is a cookie data, it is recommended to set a reasonable expiration time.

(2) Whether there is sensitive information in the log: If a log app is included in the release version, the test needs to focus on whether the log contains sensitive information.

(3) Whether the configuration file has sensitive information (similar to the log)

3. Soft keyboard Hijacking: The User name password entry box of the Financial app login interface to see if the input supports third-party IME. For very sensitive inputs, it is generally advisable to use the soft keyboard in the app or at least provide the user with this option;

4. Account security (user account security)

(1) Whether the password is stored in plaintext: in the background database: In the review and testing need to focus on password storage

(2) Password transmission is encrypted: need to see if the password is transmitted in plaintext

(3) Account lockout policy: For the user to enter the wrong password too many times, some applications will be temporarily locked, the background of the number of times per account limit may cause all accounts are locked by the policy.

(4) Simultaneous session: The app will have notification function for simultaneous session;

(5) Logoff mechanism: After the client logs off, it is necessary to verify that any interface calls from that user's authentication cannot be invoked successfully

5. Data Communication Security

(1) Key data is hashed or encrypted: sensitive information needs to be hashed or encrypted before it is transmitted.

(2) Whether a critical connection uses secure communication: After learning about the interface design, you need to evaluate whether the content contains sensitive information.

(3) whether to verify the legitimacy of digital certificate: Fiddle tool simulates man-in-the-middle attack method

(4) Verifying data legality

Development: Digitally sign data and correlate checks on the client

Test: Can simulate back-end to perform related testing work

(5) Component Safety Test (Android is maliciously invoked by external application) test: Drozer Tool

6. Environment-related tests

(1) Interference test: A received phone B received a text message (consider whether the notification bar message overlay information on the interface) C received the notification bar message D no power low battery alert box pop-up e third-party security software alarm box Popup

(2) Permission test: Development provides a list of required permissions at the time of the survey

(3) Boundary condition: A available storage space too little b no SD card/dual SD card C flight Mode D system time is wrong e third party dependent

App Security Test