Security testing strategy analysis of mobile APP testing

With the development of the Internet and the prevalence of APP applications, I recently learned about the security tests related to mobile APPs. From the perspective of intrusion or attack, the security risks of apps with webview as the main body lie in HTTP packet capture and reverse engineering.
　　
At present, most of the apps still use http or https, so it is necessary to prevent the user's information and the system's own vulnerabilities from being leaked by http packet capture. However, if the information is not displayed, it does not mean that the server has not issued it. Many of them are restricted by the client. By capturing packets, you can completely view the apps of unfamiliar users. Another example is the application of a lot of posts and push messages. If there is no verification of the validity of the message, and the message is tampered with after the packet is captured, the server will not respond at all, which will leave a great hidden danger. Reverse engineering is well understood for Android, decompile, modify or insert your own code to achieve the corresponding purpose.
　　
Security testing strategy
　　
1. User privacy
Check whether user passwords are saved locally, whether encrypted or not
Check whether sensitive private information, such as chat records, relationship chains, bank accounts, etc., are encrypted
Check whether system files and configuration files are saved in plaintext On the external device
Part of the information that needs to be stored in the external device needs to be judged whether the information has been tampered with before each use. For

local storage data, you can view the data in the SharedPreferences file and database file of the application (in the application installation directory after root, or view No sensitive data was written to external storage).
　　
2. File permissions
Check the directory where the App is located, and its permissions must not allow other group members to read and write
　　
3. Network transmission
Check whether sensitive information is encrypted during network transmission, and important data should use TLS or SSL

The HTTP request is plaintext by default. If the security verification and encryption mechanism is poor, it is easy to guess and simulate the request through network sniffing and scanning, and it may also be injected.
　　　　
4. Run-time interpretation protection
For software with embedded interpreter, check for XSS and SQL injection vulnerabilities
. For apps that use webview, check for URL spoofing vulnerabilities.
　　
5. Android component permission protection
Prevent the internal components of the app from being called by any third-party programs.
If you need a component for external calling, you should check whether the caller has signed restrictions .
　　
6. Upgrade
Check whether the integrity and legality of the upgrade package have been verified to avoid the upgrade package being hijacked Reverse the application to see if the decompiled code has exposed sensitive information. After decompiling, modifying the code, inserting the hijacked code and repacking it, if there is such a vulnerability, it will pose a great threat to both users and developers. It is required to encrypt the application to prevent static cracking, steal the source code, and then embed malicious viruses, advertisements, etc., and then use tools to package and sign to form a secondary packaged application 8. Interface interception Obtain root privileges through adb shell commands or third-party software, The private information filled in by the user is intercepted on the mobile phone interface, and then malicious behavior is performed. For mobile applications, security testing occupies an increasingly important proportion of App testing . The security of user information also determines the success of an application, not to mention the high degree of security of mobile banking and financial securities apps. attach great importance to.