mobile app security test

Check any sensitive data in the folder. token, username, pw, email, keys...for iOS, can refer With third-party tool such as iMazingIdentify potential sensitive data printed out in system log.check any

犬大犬小

77人浏览 · 2024-04-09 18:59:48

犬大犬小 · 2024-04-09 18:59:48 发布

分类
storage security	Identify potential sensitive data stored by the application.	Check any sensitive data in the folder. token, username, pw, email, keys... for iOS, can refer With third-party tool such as iMazing
2	storage security	Log Security	Identify potential sensitive data printed out in system log. check any sensitive data found in system log which generated by the APP.
3	storage security	Sensitive data in Keyboard Cache	Sensitive data such as username, password, keys logged in keyboard cache can lead to information leakage.
4	network communication	Network data encryption	Identify if any traffic not securely encrypted before transmitted on network. make sure No plain HTTP traffic found during testing.
5	network communication	Endpoint Identity Verification	Identify if the application check certificate comes from trusted source.
6	platform	Sensitive Data Disclosed Through User Interface	Identify potential sensitive data disclosure on Application UI.
7	platform	Testing for App Permissions	goal is to try and reduce the amount of permissions used by your app to the absolute minimum AndroidManifest.XML or MobSF
8	Resilience	Check the App is properly signed	check The application was properly signed iOS can use tool Xcode codesign
9	Resilience	App debug	Check whether the application is debuggable. can use static tool like MobSF
10	Resilience	Debug symbols	Check whether symbols can be found in the application content. for iOS, These `dSYM` files are the most common type of symbol file need when debugging
11	Resilience	Jailbreak detection	Check if the application can run on the jailbreak device. check the The application targets OS version have jailbreak solution or not	Jailbreak - The Apple Wiki
12	storage security	AllowBackup permissions configure security	Check whether the allowBackup attribute value in the AndroidManifest.xml file of the tested application is set to true, and whether the application data can be backed up through adbbackup. check AndroidManifast.xml file or MobSF static analysis
13	Auth	Authentication failure lockout policy	Test whether the client will limit the number of incorrect inputs of passwords (including text passwords, gesture passwords, etc.) and whether it will be locked.
14	configuration	Android - Export component security	If the exported component does not carry out strict access control, then other APPs can access functions that do not have declared permissions by calling the interface of the exported component, which constitutes local permission escalation. check AndroidManifast.xml android:exported

2048 AI社区

有“AI”的1024 = 2048，欢迎大家加入2048 AI社区

更多推荐

工业视觉项目高效对接PLC/MES系统｜全协议通信联动落地实战方案

工业AI视觉项目落地核心在于设备联动与数据打通，而非算法训练。本文基于百条产线实战经验，提炼三大通信协议（TCP/IP、Modbus、RS232/RS485）的适用场景，提出五段式标准化联动流程（触发-抓拍-回传-执行-回执），并给出MES对接的数据字段规范。针对联调常见问题（信号丢包、格式错乱等）提供根治方案，包括双向心跳机制、统一报文格式等。通过全链路开发架构实现算法识别与设备联动的无缝衔接，