APP security test cases combing

Android APP safety testing, looking for with this APPscan scan on the line, but the architecture of the system does not support APPscan scan.

Here are some ideas by manual testing of security:

 Data storage and sensitive data:

Preconditions	Test Procedure	expected results
1, the root phone 2, the test application to open a connection data traffic on or WiFi . 3, the mobile phone acquires personal data: IMEI number, IMSI number, ESN number, the MEID numbers, phone numbers, phone book, text messages, email, call log , location information, PIN code, the PUK code	1, TCPTump grab IP LOG. 2, the normal use of the application for each function XX 3, using wireshark IP log analysis tool is included in the pre-conditions for 3 or sensitive personal data, the personal data in the absence of pre-conditions for 3 or sensitive data, without performing Step 4 4, using wireshark analysis tools (except for single personal data, such as: only uploading or IMEI GPS) pre-condition the IP log contained in 3 batches personal data, whether to use the encrypted transmission or secure transmission channel	3, can not contain data. If these data are relevant in the interface requires explicit reminder. 4, pre-conditions IP log data contained in the personal or sensitive data using the secure channel need 3 or encryption transmission
Ditto	1, connected to the computer, using DDMS catch DDMS LOG. 2, the normal use of applications for each function XX 3, DDMS log analysis whether to print a pre-condition 3 of personal data or sensitive data 4, view DDMS log, check whether the password to print	2-3, can not contain these data. 4, DDMS not print password account
Application of test data service turned on or wifi connection	1, TCPDump grab IP packets using wireshark confirm upload sensitive data server address	1, personal data can not be sent to the collection of sensitive countries / regions of non-permitted range of server address Note: The provision for the transfer of data is not the same for each country or region, please check with your specific legal meets local legal requirements
1, mobile phone connection DDMS 2, phone root	1, XX module functions involving account password 2, in use SQLiteSpy tool to open database XX "/ data / data / package name /" * .db file, check whether the database password in clear text 3 to view the application XX "/ data / data / package name / "under the file does not display the password in plain text	2-3 does not allow password in clear text (even if there privilege protection, do not allow passwords in clear text)

 

 

 

 

 

 

 

 

 

 

 

 

 

Note: If the data type is stored in the data storage SharedPreferences, reference validation: https: //www.cnblogs.com/ww-xiaowei/p/11209051.html

Traffic consumption

Preconditions	Test Procedure	expected results
1, the network now has wifi connection 2, the phone plugged into the PC (prevent dormancy), set the immortal screen 3, apply for a networking application permissions at least	1, open the application, keep the application running, no standing, 24 hours	1, see the application traffic consumed in the wifi in the setting, the flow of the application can not exceed 0.1MB
1, there are now mobile data network connection, and check the "always connected data service," 2, phone plugged into the PC (prevent dormancy), set the immortal screen 3, apply for a networking application permissions at least	Ditto	In setting the viewing application traffic consumed in data traffic, the flow of the application can not exceed 0.1MB

 

 

 

 

 

 

Note: If you think 24 hours is too long, you can test 30 minutes, traffic consume no more than 0.06M

Other items

System Upgrade	1, the system detects a new version, 2, application detects a new version	1-2, the user is prompted whether to upgrade and upgrade potential impact, allowed to automatically update without the user's knowledge, and the online update check frequency upgrade package updates Not too often, no more than 1 / day.
Password	1. Prepare root privileges mobile phone 2. Check in AndroidManifest.xml “<data android:host="2432546" android:scheme="android_secret_code"” 3, the comparison of filtered and the password in the password table in Annex 4, checking each function corresponding to the password, and notes in the document comparison
virus	1. Install anti-virus software (McAfee Android version), the phone security scanning and real-time monitoring. 2. Open the application XXX, normal use.	2. Application of normal use, during use antivirus software does not report the presence of viruses, Trojans, malware and other security risks Tips
Signature verification	Phone root 1. Run the cmd command line:: "\ XXX.apk D" jarsigner -verify -verbose -certs signature information 2. Check results.	1. signature information, name, department or company names in these three ensure that at least one is not empty can, debug signature not appear (signature contains debug information in words, such as CN = Android Debug, etc.) and the need to ensure that filled information is true and valid 2. For non-Google official applications, not Andrews public certificate Android/[email protected], every need to ensure real and effective signature information, information is not invalid URL, garbled; signature third-party applications in general You can not sign huawei
Debug mode	Go to Settings - Developer Options - Select debug the application, check the application under test to debug the application is not in the list;	1, the application under test without the debugger application list (or select debug the application menu is grayed out)
targetsdk	Phone is connected to the computer 1. Run adb shell dumpsys package package name, check targetSDK. 2. Check apk whether to apply for the following permissions. (the aapt dump badging [YourApp.apk]) adb shell dumpsys Package Penalty for COM ...... |. findstr versionCode	1, if targetSDK not less than 23, then the Pass; targetSDK if less than 23, step 2. 2, apk did not apply the following permissions.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Permissions:

Preconditions	Test Procedure	expected results
1, mobile phone housekeeper and the application monitoring to "prompt" in the rights management 2, phone root	One, View AndroidManifest.xml, if there privilege android.permission.record_audio XX module function to operate, check for call recording function, recording function if there is a background check through rights management, whether the user explicitly while recording	1. If there is no recording rights, ignore step 2; 2, no call recording function, does not allow the presence of the background and does not express the user's recordings.
1, mobile phone housekeeper and the application monitoring to "prompt" in the rights management 2, phone root	View AndroidManifest.xml, to see if there android.permission.send_sms / android.permission.call_phone rights 2, in conjunction with permission management to listen when the phone is traversing mode function XX	1, without calling / texting privileges, ignore step 2; 2, rights management applications are also found stealing stolen phone and texting behavior
Phone has root privileges	View AndroidManifest.xml, the application permissions apply	Application permission is prohibited reservations and sensitive business functions inconsistent. (Example: application for taking pictures, can not apply for permission to send text messages.)
User permissions to files	1.运行应用XXX。 2.在cmd命令行输入adb shell。 3.输入ps命令。　　 4.在最后一列NAME中，找到此应用，查看该应用对应的USER列显示的运行权限	4.此应用（不论是自研应用，还是预置的第三方应用）在USER显示的是类似app_XX/u0_aXX的形式，如果以root或system用户运行要评估是否为必需（几乎都是非必须的）。备注：JellyBean版本上是u0_aXX的形式，I及以前的都是app_XX的形式
reboot权限	1.检查应用中是否申请了权限：android.permission.REBOOT	1.一般都不会申请此权限，如果有申请，要确认必要性。
用户对文件的权限	1、遍历XX模块的功能 2、在命令行中输入adb shell 3、进入测试apk的目录下，输入：cd /data/data/package name/ 4、用ls -l查看每个文件的other组权限控制，比如：-rw-rw---- u0_a93 u0_a93 566 2013-09-09 14:36 com.tigerknows_preferences.xml 5、检查有other组读写控制权限的文件是否包含隐私数据（参考预制条件2），比如（IMEI，手机号码等）	4、最后三位显示成---或--X（-rw-rw----， 这串字符的后三位）则没有读写控制权限，若无此文件，则忽略步骤5 5、有other组读写权限的文件不允许包含隐私数据