Shulou(Shulou.com)06/03 Report--

1. Software permissions

1) deduction risk: including sending text messages, making phone calls, connecting to the network, etc.

2) risk of privacy disclosure: including access to mobile phone information, contact information, etc.

3) check the input validity check, authentication, authorization, sensitive data storage and data encryption of App.

4) restrict / allow access to the Internet using mobile phone function

5) restrict / allow the use of mobile phones to send and receive messages

6) restrict / allow applications to register automatic startup applications

7) restrict or use local connections

8) restrict / allow the use of mobile phones to take pictures or record audio

9) restrict / allow the use of mobile phones to read user data

10) restrict / allow the use of mobile phones to write user data

11) detect App user authorization level, data leakage, illegal authorized access, etc.

two。 Install and uninstall security

1) the application should be installed correctly on the device driver

2) the corresponding icon of the application can be found on the installation device driver

3) whether it contains digital signature information

4) all managed properties and their values contained in the JAD file and JAR package must be correct

5) the data content displayed by the JAD file should be consistent with that displayed by the application program.

6) the installation path should be able to specify

7) without the user's permission, the application cannot be set to start automatically in advance

8) whether it is safe to uninstall and whether all the files installed are uninstalled

9) whether there is a prompt to uninstall the files generated during the use of the user

10) whether the modified configuration information is restored

11) whether the uninstall affects the functionality of other software

12) Uninstall should remove all files

3. Data security

1) when passwords or other sensitive data are entered into the application, they are not stored in the device and the passwords are not decoded

2) the password of the input will not be displayed in clear text

3) passwords, credit card details, or other sensitive data will not be stored in their pre-input location

4) the length of individual * or password for different applications must be at least 4-8 digits.

5) when the application processes credit card details, or other sensitive data, it does not write the data in clear text to other separate or temporary files. To

6) prevent the application from terminating abnormally without excluding its temporary files, which may be attacked by intruders, and then read the data information.

7) when sensitive data is entered into the application, it will not be stored in the device

8) the backup should be encrypted, the abnormal communication interruption in the recovery process should be considered, and the data should be verified before use after recovery.

9) the application should consider user prompts or security alerts generated by the system or virtual machine

10) applications should not ignore user prompts or security warnings generated by systems or virtual machines, let alone use display misleading information to deceive users before security warnings are displayed, and applications should not simulate security warnings to mislead users.

11) before the data is deleted, the application should notify the user or provide an "cancel" command

12) the "cancel" command operation can realize its function according to the design requirements.

13) applications should be able to handle situations where applications are not allowed to connect to personal information management

14) when reading or writing user information, the application will send an error message to the user

15) without the express permission of the user, nothing in the personal information management application will be damaged.

16) the application reads and writes data correctly.

17) the application should have exception protection.

18) if important data in the database is about to be rewritten, users should be informed in a timely manner

19) be able to handle errors reasonably

20) the user should be prompted under unexpected circumstances

4. Communication security

1) in the process of running the software, if there are incoming calls, SMS, EMS, MMS, Bluetooth, infrared and other communications or charging, can you suspend the program, give priority to the communication, and restore the software normally after processing, and continue its original function?

2) when a connection is created, the application can handle the situation when the network connection is broken, thus telling the user that the connection is broken.

3) should be able to handle communication delays or interruptions

4) the application will keep working until the communication times out, and then send an error message to the user indicating a connection error

5) be able to handle network exceptions and notify users of network exceptions in a timely manner

6) close in time when the application is closed or the network connection is no longer in use) disconnect 7) HTTP, HTTPS coverage testing

-- App and backend services generally interact through HTTP to verify whether it is normal in the HTTP environment.

-- in a public free network environment (such as McDonald's, Starbucks, etc.), you need to enter a user name and password to access the network through SSL authentication, and you need to catch library exceptions using HTTP Client.

5. Man-machine interface security

1) the return menu always remains available

2) orders have priority order

3) the setting of sound does not affect the function of the application.

4) the application must display the above content using the full-screen size applicable to the target device

5) the application must be able to handle unpredictable user actions, such as incorrect actions and pressing multiple keys at the same time

Thanks to Mobile APP Security testing platform-Love Internal Test (www.detect.cn) for sharing experience and knowledge for us.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.