Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to talk about the security problems existing in APP. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

1 background analysis

When the Internet age came, people once felt that everything was being digitized. Today, everything is moving. People in the streets and alleys bowed their heads and scratched the screen to become a scene. According to the statistics of foreign authoritative organizations, smart phones in China have accounted for 96% of the total mobile phone sales, and the ancient feature phones have basically withdrawn from the stage of history. According to a recent report by eMarketer, a US market research firm, smartphones account for 96 per cent of mobile phone sales in China, compared with 96 per cent in the US, according to data from Gartner, a leading market research firm. In other words, at the hardware level of the mobile Internet, China and the United States are already at the same level.

The popularity of smart phones has promoted the rapid development of mobile app. At present, mobile app can range from communication and chat, takeout booking, ticket booking, travel booking, shopping, news browsing, to bank investment and financial management, hospital registration, payment transactions and so on. A person's daily activities can basically be completed by mobile phone. Because of the popularity of app, many software developers see the benefits brought by this market. With the interest-driven, all kinds of app emerge in endlessly, and the market of app is also mixed. The rapid app has not been well guaranteed in terms of security, and in recent years, there have been endless incidents of divulging personal information through app.

Through the analysis of big data, the statistics of app commonly used on mobile phones are as follows:

From the chart statistics, it is not difficult to see that almost every mobile phone is equipped with chat, video entertainment, shopping and other related app, so how does these app work on the mobile phone? What information will you unwittingly get from your mobile phone?

2 Common security problems of mobile phone app

With the development of technology, the functions of mobile phones are far more than these. The era of big data has come, and the era of the Internet of things in smart homes has also follow. here, Android app, or apk, is used for analysis, download any apk, and change its suffix to tar, you can view some of the apk-related files.

AndroidManifest.xml is the entry file of Android application, which mainly describes the components exposed in the installation package, the implementation of each class, the relevant read permissions of the software, and so on. The details of the AndroidManifest.xml file obtained here are as follows:

Through the specific analysis of the AndroidManifest.xml file, we can see that the current mobile phone permissions obtained by app are as follows:

The main permissions include allowing reading of mobile phone status, allowing phone calls, allowing reading of contacts, allowing modification of system global settings, allowing creation of Bluetooth connections, allowing positioning, allowing automatic boot and other related rights. If the user uses the default installation mode when using the app, it may cause the disclosure of user-related information.

Anyone familiar with Android development knows that Android applications have four major components, namely, Activity,Service services, ContentProvider content providers, and BroadcastReceiver broadcast receivers.

First of all, let's talk about activity components. The communication between activity components is through Intent to show a visual interface for user operations. An Android application must be run and started through activity components. Although Application are independent of each other, they can communicate, call and access each other through the activity component in app. The activity components of the app are as follows:

Through the analysis of the apk, it is found that the entrance activity component is that com.meiyou.pregnancy.ui.welcome.WelcomeActivity,app calls other activity components at startup, and when the activity component can be exported, it can be arbitrarily called by a third-party app, resulting in sensitive information disclosure may also be subject to risks such as authentication bypass, malicious code injection, page hijacking and so on.

BroadcastReceive enables applications to filter external events only to receive and respond to needed events, and it has no user interface, but it can start an activity or service to respond to the received information, making communication between different components or applications. When app is started for the first time, the system will automatically instance NotificationProxyBroadcastReceiver and register to the system. For dynamic broadcasting, there must be registration and logout, otherwise it will lead to memory leak, and replay registration and repeated logout are not allowed.

Service service is the backend service. When using service service, you need to declare it in AndroidManifest.xml. The apk of this test is declared in AndroidManifest.xml as follows.

Service is independent of the activity component and performs some operations in the background, such as when you need to get data from the server on a regular basis, you need to use service.

In addition to security vulnerabilities in the four major components, various web vulnerabilities also occur when calling the web API, such as sql injection vulnerability, xss vulnerability, ultra vires, unauthorized and other related vulnerabilities. The screenshot shows the http request packet of an app. Through testing, it is found that the post packet contains a vulnerability of ultra vires access. You can use a parameter to view other people's account information.

In short, there may be many loopholes in app, and there are many places worthy of our attention, such as whether the data is encrypted in the process of data transmission, whether the data is encrypted in the local storage, whether the intent starts activity components are secure, and so on.

3 Safety recommendations

With so many app, as ordinary users are still unable to do security testing on app, how to prevent personal information from being leaked because of app?

First of all, it is recommended to download app through formal channels to prevent the downloaded app from being modified and compiled, not the original application.

L if there are no special requirements, it is not recommended to root the phone.

L in the installation of app is optimistic about its required open permissions, there is no necessary permissions can be turned off, such as positioning, reading mobile phone contacts, etc.

L can install appropriate antivirus software on the mobile phone, check and kill regularly and clean up useless software, program packages, etc.

Upgrade the relevant app regularly to fix the existing bug in the old version.

The above is the editor to share with you how to talk about the security problems of APP, if you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.