What do you think about the security testing of mobile APPs?

With the development of the Internet and the prevalence of APP applications, I recently learned about the security testing related to mobile APPs. At present, mobile App testing is still mainly based on finding bugs. The main testing process is server interface testing, client functional coverage, and automatic coordination performance, adaptation, stress testing, etc. There seems to be no comprehensive and unified standard for App security testing. In fact, security bugs can also be a kind of bugs, but they are more secretive and difficult to find, especially for mobile apps.

Especially for apps with webview as the main body, let’s briefly talk about it. From the perspective of intrusion or attack, the hidden danger lies in HTTP packet capture and reverse engineering.
　　
At present, most of the apps still use http or https, so it is necessary to prevent the user's information and the system's own vulnerabilities from being leaked by http packet capture. However, if the information is not displayed, it does not mean that the server has not issued it. Many of them are restricted by the client. By capturing packets, you can completely view the apps of unfamiliar users. Another example is the application of a lot of posts and push messages. If there is no verification of the validity of the message, and the message is tampered with after the packet is captured, the server will not respond at all, which will leave a great hidden danger. Reverse engineering is well understood for Android, decompile, modify or insert your own code to achieve the corresponding purpose.
　　
So what does a security testing strategy look like?

For user privacy, check whether user passwords are saved locally, whether encrypted or not; check whether sensitive private information, such as chat records, relationship chains, bank accounts, etc., are encrypted; check whether system files and configuration files are saved in plaintext on external devices Part of the information that needs to be stored in external devices, it is necessary to determine whether the information has been tampered with before each use.

For file permissions, check the directory where the App is located, and its permissions must not allow other group members to read and write.

For network transmission, check whether sensitive information is encrypted during network transmission, and use TLS or SSL for important data. The HTTP request is plaintext by default. If the security verification and encryption mechanism is poor, it is easy to guess and simulate the request through network sniffing and scanning, and it may also be injected.
　　
For runtime interpretation protection, for software embedded with an interpreter, check for XSS and SQL injection vulnerabilities; for apps that use webview, check for URL spoofing vulnerabilities

For Android component permission protection, prohibit the internal components of the App from being called by any third-party program . If components for external invocation are required, check whether the caller is restricted by signature.

For iterative upgrade, check whether the integrity and validity of the upgrade package have been verified to avoid the upgrade package being hijacked.

For interface interception, root authority is obtained through adb shell commands or third-party software, and the private information filled in by the user is intercepted on the mobile phone interface, and then malicious behavior is performed.

Security testing is an important part of the current mobile app testing , especially those with high confidentiality of user accounts, which account for a large proportion of mobile game testing and financial app testing.