APP security test points

Others 2019-11-07 21:27:19 views: null

APP threats facing

APP evaluate ideas

APP automated testing ideas

Safety test points

Certificates and signatures

  1. Apk file will be renamed zip
  2. Use unzip unzip
  3. META-INF contains the signature file and the real CERT.RSA file (public key self-signed certificate)
  4. Use keytool tool to view the contents of the certificate
    keytool -printcert -file META-INF/CERT.RSA
  5. as META-INF / CERT.SF

Allowbackup Vulnerability

AllowBackup AndroidManifest.xml file attribute value is set to true. When allowBackup flag is true, the user can be carried out by adb backup application to back up data, you can export all the data stored in the application root under no circumstances, resulting in serious leakage of user data.

Corrective recommendations
would parameter android: allowBackup property is set to false, the application data can not be backed up.

WebView vulnerability

WebView application vulnerabilities exist, there is no method for registering Java classes call restrictions, an attacker can use reflection to call any other JAVA class not registered, leading to arbitrary JavaScript code on the device attack.

Corrective recommendations
by a @JavascriptInterface instead addjavascriptInterface in Java remote method above statement;
the bridge when using js2java, the need to verify for each incoming parameters, shield attack code;
Note: Do not use or control of the relevant authority as js2java the bridge.

Key data is transmitted in plaintext

Application during the logon process, use the http protocol transmitted in clear text user name and password, user name and password not encrypted. By monitoring network data can be intercepted to a user name and password data, resulting in disclosure of user information, a security risk to the user.

Corrective recommendations
to deal with sensitive information during transmission of sensitive information is encrypted.

Any account registration

  1. Use the phone number registered a 133 * 887 APP, get the verification code 46908;
  2. When confirming submission, intercepts the request, modify the registration phone number, you can register any account, here revised to 1338 * 678 (any phone number);

Corrective recommendations
when submitting the final confirmation of the registration process, the server should verify that the account is issued to submit the verification code phone number.

Guess you like

Origin www.cnblogs.com/yoyoyang/p/11815592.html
Recommended
Ranking
vue project automated build tools 1.0, support for multi-page build
JDBC add, update, delete data
SpringCloud combat service in response to the decline tutorial series (Chapter IV)
A segmentation fault (core dumped) error occurs when C+11 compiles and calls the PCL library
Django achieve websocket
Go语言并发之道--笔记1
Three-tier structure and application
Zhejiang data structure after-school exercise practice two 7-2 Reversing Linked List (25 points)
Front-end interview brushing day9 (updated daily high-frequency inspection points for front-end interviews)
The difference between the shell of the single and double quote
Daily
More
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)

Code World

© 2018 codetd.com