Shulou(Shulou.com)05/31 Report--

How to carry out mobile app security assessment and detection technology analysis, I believe that many inexperienced people do not know what to do. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Due to the increasing development of today's network technology, there are many hidden dangers in the security of Android APP, which need to be paid attention to constantly so as to improve its security. Based on the system program, system data, the security of the basic business and the loopholes in the application, people constantly improve and form a more secure, stable and complete mobile APP monitoring system to ensure the security of the mobile APP, which will serve as the primary line of defense of "malicious harm", that is, the first line of defense, which improves the researchers' consideration of APP security assessment when developing mobile APP. It will contribute to the better and more secure development of Mobile APP.

Key points of Evaluation and Protection of the New version of Mobile App

According to the latest grade protection mobile Internet security extension standard, the new standard takes the level of mobile Internet technology as the main guarantee object to ensure the overall object level. there are no fixed requirements and goals for mobile terminal systems, application systems and wireless networks, that is, they are not required to be graded separately. The proposal of the new standard should not only meet the previously proposed grade protection standard, but also improve the security of mobile APP in several important technologies, such as mobile terminal, the application of APP in daily life, the physical and environmental security of wireless network, the application of APP and data security and so on. In addition, new goals and requirements have been worked out at the management level, such as the ways and methods of safety management, the system of safety management, safety management enterprises and employees, the improvement of safety construction, and so on.

Research system of Security Detection for Mobile APP

Due to the accelerating pace of the development of network technology, many lawbreakers take a fancy to platforms like the network to carry out some illegal activities, so mobile APP will have a lot of security problems. Lawbreakers will quickly cheat users through such loopholes, and many users do not know that APP has such security loopholes. So many users sometimes fall into a trap and don't know it. At this time, a sound APP security detection research system must be established, and the security loopholes of every mobile APP must be solved, so that the security of users can be guaranteed and users will feel at ease to use APP.

Multi-dimensional secure mobile application security level assessment system is an automated security detection service for enterprise and individual developers. It supports a number of APP security assessment tests on Android application APK packages, including code protection, dynamic defense, local data, network data, malicious vulnerabilities and other risk points. Static analysis and dynamic analysis detection can be completed in an average of 10 minutes. Generate visual online reports and offline reports in Word format. Help users to conduct security testing before the release of APP to avoid economic losses caused by potential security problems.

Data security

(1) Detection of storage security

The important internal information of Mobile APP is easy to leak, the main reason is that there is a problem with the way its information is stored, so that most people can have the right to access internal rights, resulting in the situation that internal important information is easy to be leaked.

(2) tampering with resource files

Now there are a lot of pirated APP or plagiarized APP on the network, which is all because the resources in the original mobile APP are directly used by users without a series of security protection measures. Many lawbreakers like this loophole and secretly change the genuine APP resources into a pirated APP.

Security of the business

(1) Monitoring and testing of certificates

In the aspect of ensuring the security of mobile APP services, it is a very meaningful way to ensure the security of mobile APP certificates. If the APP certificate will not be embezzled, it can ensure the security of the user's account, information and password. To ensure the security of the certificate, you only need to encrypt the information in the certificate.

(2) handling and detection of abnormal events

A good mobile app should have the ability to handle and detect when it encounters an exception. Once an exception occurs, it is not only required to be extremely sensitive to capture it, but also need to record it after catching the exception, or transmit it to the server for exception analysis, and parse it by the server.

Loopholes in program applications

(1) Detection of virus

The APK of each mobile APP needs to be tested for viruses before it is put on the shelves.

(2) APK morbid anti-programming Zen loophole

The mobile APP is detected for APK static decompilation to see if there are compilation vulnerabilities. Many decompilers, such as apktool, decompile it into smali code. If the smali code is not protected, the software will have many security problems, such as the software will be cracked, some bad code will be inserted, and even the advertiser's ID will be replaced.

(3) Database injection vulnerability

The detection of database injection vulnerabilities in APP reveals its adverse effects. In some cases, for example, when setting the read and write permissions of Content provider components, it is poorly set, and the filtering of sql statements is omitted, which will make the mobile APP database have hidden dangers. If the intentional person attacks it, the user's account name, password and other sensitive data are in danger of leaking, and it will also cause the user to make an exception when querying, and even lead to the collapse of the application.

(4) a1lowBackup security vulnerabilities

The risk of data ultra vires backup of mobile APP is detected. Some systems provide special functions for data backup and recovery, such as Android API Level 8 and above. If there is a risk to this function, it is possible for an attacker to recover data at other ends, resulting in the disclosure of sensitive information such as user chat messages. Like those applications that involve money transactions, attacks can be used to steal deposits and malicious payments.

(5) there is a vulnerability in the execution of remote code in Web View.

Check to see if there are executable vulnerabilities in Web View's remote code in APP. Like previous versions, there are basically some remote code execution vulnerabilities such as Android API level 16 or previous versions, which occur because the program is using Web View. Add Javascript Interface fails to implement normal restrictions when using this method, and this gives those who attack remotely a chance. They can use Java Reflection API to expose some java function interfaces of Mobile APP completely, so that they can use this interface to complete some illegal operations.

(6) safe operation of data memory

Check for mobile APP to see if there are any problems with dynamic debugging of code. Some artificial operations or some malicious programs use this dynamic debugging technology to do a series of eavesdropping and tracking on the program while the program is running, so as to obtain some data information of mobile APP and steal some private information about users in APP. This is the dynamic debugging vulnerability of code in Android C layer.

Technical advantages of multi-dimensional security APP security assessment scheme

(1) Comprehensive coverage and accurate positioning of security issues

Using the combination of static detection and dynamic detection to improve the accuracy, feature matching to the source code, comprehensive feature coverage, can effectively find the mainstream security problems in mobile applications, accurately locate the source of the problems, and monitor, early warning and effectively avoid the security problems in the application, and provide specific examples of the repair scheme.

(2) Code-level security problem repair example to achieve convenient self-inspection and repair

In the evaluation results of mobile applications, the repair suggestions including code-level repair examples provide a reference for developers to fix security vulnerabilities independently and quickly.

(3) big data scans statistics to grasp the trend of loopholes.

Through the expansion of the hardware server, the security evaluation of massive applications can be realized, and the application results of the evaluation can be analyzed by batch statistics, and the vulnerability distribution and trend of mobile applications can be obtained.

(4) Technical management of application version security

Through automated technical means, statistics and analysis of the security status of each version of the application, in order to provide automatic operation, display, traceability of security management.

(5) No manual operation, saving manpower and time cost

Convenient and easy to use, without the participation of professional security technicians, greatly reducing the cost of manpower and technical learning. The rapid implementation of application security problem detection can obtain the application security evaluation results in time, realize the rapid discovery and repair of application security problems, and save time and cost.

(6) Protection of privacy

It can support private cloud and local independent deployment, completely isolate user application information and evaluation results, and protect the privacy and security of user data.

In today's era, the Internet has spread to the streets, and mobile Internet is the technology that people need most, so in recent years, mobile Internet is developing rapidly, and the demand of mobile intelligent terminals among the people is also increasing. But at the same time, it is faced with the problem of information security. Through the analysis, this paper makes an in-depth research on the technology of the mobile terminal, and analyzes the negative aspects of identity authentication, code security and data storage, which gives guidance to the technicians.

After reading the above, have you mastered how to analyze the technology of mobile app security assessment and detection? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.