Android app security performance test

1. Installation package test

(1) Whether the code can be decompiled (source code leakage problem):

development: obfuscate the code; test: use the decompilation tool to view the source code, whether code obfuscation is performed, and whether obvious sensitive information is included

(2) Whether the installation package is signed (ios heavy app has a formal release certificate signature, do not need to consider it): It is necessary to verify whether the key used for the signature is correct before release, in order to prevent it from being overwritten and installed by malicious third-party applications

(3) Integrity verification Test: check the md5 value of the file

(4) permission setting check (adding new permissions needs to be evaluated): android checks all permissions required by the manifest file to read the application

2. Sensitive information test

(1) Whether the database stores sensitive information: need to Understand the meaning of each database field and evaluate the possible security issues; after running a test case involving database operations, we can directly view the data in the database to see if there is any sensitive information that needs to be deleted after the user logs out. Teachers are cookie data, and it is recommended to set a reasonable expiration time.

(2) Whether there is sensitive information in the log: If the release version contains the log application, it is necessary to pay attention to whether the log contains sensitive information in the test.

(3) Whether there is sensitive information in the configuration file (similar to the log)

3. Soft keyboard hijacking: In the user name and password input box of the login interface of the financial app, check whether the input supports third-party input methods. For very sensitive input, it is generally recommended to use the in-app soft keyboard or at least provide this option for users;

4. Account security (security of user accounts)

(1) Whether the password is stored in plaintext: in the background database: required during review and testing Pay attention to the storage of passwords

(2) Whether the password transmission is encrypted: you need to check whether the password is transmitted in clear text

(3) Account lockout policy: If the user enters the wrong password too many times, some applications will be temporarily locked; limiting the number of times for each account in the background may cause all accounts to be locked by the policy.

(4) Simultaneous session: The application will have a notification function for simultaneous sessions;

(5) Logout mechanism: After the client logs out, it needs to verify that any interface calls from the user's authentication cannot be successfully called

5. Data communication security

(1) Whether critical data is hashed or encrypted: Sensitive information needs to be hashed or encrypted before transmission.

(2) Whether the key connection uses secure communication: After knowing the interface design, it is necessary to evaluate whether the content contains sensitive information.

(3) Whether to verify the legality of the digital certificate: The fiddle tool simulates the man-in-the-middle attack method

(4) Whether to verify the legality of the data

Development : Digitally sign the data and perform relevant verification on the client side

Test: It can simulate the background return for related tests Work

(5) Component security test (android is maliciously called by external applications) test: drozer tool

6. Environment related test

(1) Interference test: a receives a phone call b receives a text message (consider whether the notification bar message covers the information on the interface) c Receive a notification bar message d No power and low battery prompt box pops up e Third-party security software alert box pops up

(2) Permission test: The development provides a list of required permissions when testing

(3) Boundary situation: a Available storage space is too high less b no SD card/dual SD card c airplane mode d system time is wrong e third party depends on


TestBird