APP threats facing
APP evaluate ideas
APP automated testing ideas
Safety test points
Certificates and signatures
- Apk file will be renamed zip
- Use unzip unzip
- META-INF contains the signature file and the real CERT.RSA file (public key self-signed certificate)
- Use keytool tool to view the contents of the certificate
keytool -printcert -file META-INF/CERT.RSA
- as META-INF / CERT.SF
Allowbackup Vulnerability
AllowBackup AndroidManifest.xml file attribute value is set to true. When allowBackup flag is true, the user can be carried out by adb backup application to back up data, you can export all the data stored in the application root under no circumstances, resulting in serious leakage of user data.
Corrective recommendations
would parameter android: allowBackup property is set to false, the application data can not be backed up.
WebView vulnerability
WebView application vulnerabilities exist, there is no method for registering Java classes call restrictions, an attacker can use reflection to call any other JAVA class not registered, leading to arbitrary JavaScript code on the device attack.
Corrective recommendations
by a @JavascriptInterface instead addjavascriptInterface in Java remote method above statement;
the bridge when using js2java, the need to verify for each incoming parameters, shield attack code;
Note: Do not use or control of the relevant authority as js2java the bridge.
Key data is transmitted in plaintext
Application during the logon process, use the http protocol transmitted in clear text user name and password, user name and password not encrypted. By monitoring network data can be intercepted to a user name and password data, resulting in disclosure of user information, a security risk to the user.
Corrective recommendations
to deal with sensitive information during transmission of sensitive information is encrypted.
Any account registration
- Use the phone number registered a 133 * 887 APP, get the verification code 46908;
- When confirming submission, intercepts the request, modify the registration phone number, you can register any account, here revised to 1338 * 678 (any phone number);
Corrective recommendations
when submitting the final confirmation of the registration process, the server should verify that the account is issued to submit the verification code phone number.