The most forgotten questions in mobile app security testing

1. Software permissions 
1) Deduction risk: including sending text messages, making phone calls, connecting to the Internet, etc. 
2) Privacy leakage risk: including accessing mobile phone information, accessing contact information, etc. 
3) Input validity verification, authentication, and authorization to the App , sensitive data storage, data encryption, etc.
4) Restrict/allow the use of mobile phone functions to access the Internet
5) Restrict/allow the use of mobile phone to send and receive information functions
6) Restrict/allow applications to register and automatically start applications
7) Restrict or Use local connection
8) Restrict/Allow using mobile phone to take photos or record
9) Restrict/Allow using mobile phone to read user data
10) Restrict/Allow using mobile phone to write user data
11) Detect App user authorization level, data leakage, illegal authorized access etc.

2. Installation and uninstallation security
1) The application should be correctly installed on the device driver
2) The corresponding icon of the application can be found on the installed device driver
3) Whether it contains digital signature information
4) JAD files and JAR packages All managed properties and their values ​​contained in must be correct
5) The data content displayed by the JAD file should be consistent with the data content displayed by the application
6) The installation path should be able to be specified
7) The application cannot be preset without the user's permission 8 ) Whether the
uninstallation is safe, and whether all the files installed in it are
uninstalled


12) Uninstall should remove all files 

3. Data security
1) When entering password or other sensitive data into the application, it will not be stored in the device, and the password will not be decoded
2) Input Personal passwords will not be displayed in clear text
3) Passwords, credit card details, or other sensitive data will not be stored where they are pre- entered
4) Personal ID or password lengths for different applications must be at least in Between 4 and 8 digits in length
5) When the application processes credit card details, or other sensitive data, it does not write the data to other separate files or temporary files in clear text. 6) To
prevent the application from terminating abnormally without removing its temporary files, the files may be attacked by intruders, and then read these data information.
7) When sensitive data is input into the application, it will not be stored in the device 8) The backup should be encrypted, and the data recovery should consider the abnormal communication interruption during the recovery process, etc. The
data should be verified before being used again after recovery9
) The application program should consider
the user prompt information or security warning generated by the system or virtual machine 10) The application program cannot ignore the user prompt information or security warning generated by the system or virtual machine, let alone display misleading information before the security warning is displayed. To deceive the user, the application should not simulate a security warning to mislead the user
11) Before data deletion, the application should notify the user or the application provides a "Cancel" command operation
12) The "Cancel" command operation can perform its function as designed
13) The application should be able to handle the situation when the application software is not allowed to connect to the personal information management
14) When reading or writing user information, the application will send an error message to the user
15) Do not damage any content in the personal information management application without the explicit permission of the user M
16) The application reads and writes data correctly.
17) The application should have exception protection.
18) If the important data in the database is about to be rewritten, the user should be informed in time
19) The error can be reasonably handled
20) The user should be prompted in case of an accident 

4. Communication security
1) In the process of running its software, if When there is an incoming call, SMS, EMS, MMS, Bluetooth, infrared and other communication or charging, whether the program can be suspended, the communication is prioritized, and the software can be restored normally after the process is completed, and its original functions can be continued.
2) When a connection is created, the application The program can handle the situation where the network connection is interrupted, and then tell the user that the connection is interrupted.
3) It should be able to handle communication delays or interruptions
. 4) The application will keep working until the communication times out, and then send an error message to the user indicating that there is a connection error.
5) It should be Can handle network exceptions and notify users of abnormal conditions in
a timely
manner , to verify whether the HTTP environment is normal; --In the
public free network environment (such as McDonald's, Starbucks, etc.), you must enter the user name and password to access the network through SSL authentication, and you need to capture the library exception using HTTP Client.


In the Internet age, security is an extremely important item in mobile app testing , and every point should be paid attention to. The security of user information is the key to the success of an app.