How to perform black box testing for mobile apps

The development technology used by most mobile applications poses different risks to local devices and enterprises. Therefore, software testing and evaluation are required before deployment. This article first discusses black box testing technologies and strategies.Web-based mobile application vulnerability identification and UtilizationWhen evaluating Web-based mobile applications, we recommend that the evaluators perform tests as anonymous users and use the privileges of multiple authenticated user roles. Because Web-based applications are accessed over the Internet, the test team should use traditional browsers on the PC and standard application security evaluation tools. During the evaluation, Web servers should be scanned to identify vulnerabilities at the infrastructure level. The scan results should be used to identify common application problems. Evaluators can also use manual technology to make full use of identified vulnerabilities and test the authorization defects and business logic that are often missed in automated tools. This is especially important! In addition, enterprises should perform "non-intrusive" analysis on the website, including checking the content by mirroring the entire site and then checking the client code vulnerabilities. Using the inputs generated during the analysis phase, private dedicated tools should dynamically test Web server components to check common Web server and Web application vulnerabilities, such as SQL Injection Vulnerabilities, cross-site scripting, and cross-site request forgery. In addition, commercial tools should be used for vulnerability scanning. After the vulnerability is confirmed, the tester should perform the test to exploit the vulnerability. In addition, there may be the following content: insecure cookie processing, bypass authentication, form fraud, URL protocol processing, location-based services, sensitive information leakage, and application logic spoofing. At the end of the black box test, a vulnerability assessment should be performed and rated based on the risks caused by each vulnerability.Device-based mobile application testing environmentIt brings new test challenges that traditional applications do not have for applications developed by mobile devices. For example, a mobile device has limited direct access to low-level processes and exception logs. Mobile devices also support applications to interact with GPS, cameras, Bluetooth, WAP, and other technologies not available in traditional PCs. To solve these difficulties, enterprises should use the following two testing methods: simulator testing: each platform provides developers with an Application Development SDK, it also provides simulators for testing and debugging different types of devices. These tools also allow testers to analyze and test applications in various configurations and devices without restrictions on physical devices. One advantage of simulator testing is that the Code can run in the simulator without being signed by a trusted party. Physical device testing: physical device testing provides a number of features not available in the simulator, such as SMS, GPS, camera, Bluetooth, etc. However, due to the lack of requirements on the underlying operating system and application signature, such tests are subject to certain restrictions on device-based mobile application vulnerability Validation Based on the features of mobile applications, the tester shall perform or have both tests in the physical device provided by the simulator or client. During the test, the tester shall confirm the functions of the application and implement any internal logical control and external connections. Because mobile applications are different in many ways, the following steps should be used to test each application: 1. The ing application function should be manually checked for the application, verify its functionality and how the application Accesses Different components. The evaluation team should focus on identifying external network connections, data storage, user input, and licensing issues. 2. There are many ways to monitor connected Mobile apps to connect to external sources. Testers should use proxy tools and network sniffer to monitor each request and response. Data communication is also recorded for future analysis. If the application uses Bluetooth or other connections, the development team should pair the mobile device with a server to capture data communication. 3. Check data processing because of Application Usage, data may exist in multiple different locations. Users or non-licensors may access sensitive information or applications in various ways. The evaluation should determine where sensitive information is generated and analyze how data is protected in the following circumstances: user input submitted to the application due to user interaction; used for input to files in the application; files generated during normal use and application; application logs generated by exceptional processes of the program; caching mechanisms for applications and devices (which may put sensitive data in abnormal or illegal locations); data obtained from external servers through network connections. 4. The Decompilation application should be decompiled as long as the conditions permit. The purpose is to check the dangerous methods that may exploit the vulnerabilities of the application, check whether there is a buffer overflow problem. Although many mobile platforms are Java-based, their own compilers are not compatible with traditional security tools. Nowadays, many platforms have their own anti-compilers, such as BlackBerry and Android. Apple also provides an anti-compiler. These tools can deeply analyze the logic of applications and perform limited static code analysis. 5. Check the encryption mechanism to protect static data and transmitted data at any time so that it is not accessed by unauthorized personnel. The tester should check the communication encryption between the mobile device and any network server, check whether the application saves the file to the device, or whether the file has been transferred during the backup process.Exploitation of device-based mobile application VulnerabilitiesUsing the information collected during the vulnerability validation phase, testers should try to exploit the identified vulnerabilities through the following steps: 1. Authentication and session management due to availability restrictions, mobile applications use many new authentication technologies, such as the clear mode, to reduce the complexity of passwords. To test whether authentication control can be bypassed or data of other users can be accessed, testers should test the mobile app authentication mechanism. After passing the authentication, the tester should check the session management of the application. By observing how applications track and record users, testers can assess whether they can repeat sessions or redirect to another user session. 2. Authorization licenses for authorized devices should be defined specifically. Such control can prevent devices from further accessing devices or their functions. In the application environment, you should also test whether normal users without permission can access certain functions. 3. input verification specifies the input area of the Application and observe the output. The security evaluation determines whether the client's JavaScript can be inserted and executed in the user's browser of other specific applications. This operation allows a user to capture session secrets of other users or the user name and password of the application. 4. Data Storage many applications collect user usage data. Such data may excessively offend user privacy. Testers should check such data to determine which data is collected and stored by the application and how the data is accessed. Testers should also test whether unauthorized users or third parties can access such data. 5. Risk analysis at the end of mobile black box testing, testers should assess the harm each risk brings to the Enterprise. This article describes the basic points of black box testing, but if developers can keep in mind the principle of security first in the development process, follow the best development practices, before releasing the software, actively checking and correcting errors and performing repeated tests will greatly reduce the burden on testers.