How to briefly discuss the security issues of APP

1 Background Analysis

When the Internet era came, people once lamented that everything was being digitized. Today, everything is mobile. In the streets and alleys, people were busy swiping their screens with their heads down. Data from foreign authoritative organizations show that Chinese smartphones have accounted for 96% of total mobile phone sales, and traditional feature phones have basically faded out of the stage of history. According to a recent report by eMarketer, an American market research company, data from Gartner, an authoritative market research organization, shows that in China, smartphones account for 96% of mobile phone sales, while the United States also accounts for 96%. In other words, at the hardware level of mobile Internet, China and the United States are already on the same level.

The popularity of smart phones has promoted the rapid development of mobile apps. Currently, mobile apps can range from communication and chatting, takeout booking, ticket booking, travel booking, shopping, news browsing, etc. to banking investment and financial management. , hospital registration, payment transactions, etc. A person's daily activities can basically be completed by relying on mobile phones. Because of the massive popularity of apps, many software developers have seen the benefits brought by this market. Driven by profits, various apps emerge one after another, and the app market is also a mixed bag. Since the security of instant apps cannot be fully guaranteed, personal information leakage incidents have occurred very frequently through apps in recent years.

Through big data analysis, a statistical table of the commonly used apps on mobile phones is as follows:

It is not difficult to see from the chart statistics that almost every Mobile phones are equipped with chat, video entertainment, shopping and other related apps. So how do these apps work on mobile phones? What information will be obtained from the mobile phone unknowingly?

2 Common security issues of mobile apps

With the development of technology, the functions of mobile phones are far more than these. The era of big data has arrived, and the era of smart home Internet of Things has also followed. , here we use Android app or apk for analysis. Download any apk and modify its suffix to tar to view some apk related files

##AndroidManifest.xml It is the entry file for Android applications. It mainly describes the components exposed in the installation package, the implementation of each class, and the relevant reading permissions of the software. Here are the details of the AndroidManifest.xml file that you can get here:

Through specific analysis of the AndroidManifest.xml file, you can know the current app The obtained mobile phone permissions are as follows:

The main permissions include allowing to read the phone status, allowing to make calls, allowing to read contacts, and allowing to modify the system global Settings, allowing creation of Bluetooth connections, allowing positioning, allowing automatic startup at boot, and other related permissions. If users select the default installation mode when using the application, their personal information may be exposed.

Anyone familiar with Android development knows that Android applications have four major components, namely Activity, Service, ContentProvider, and BroadcastReceiver.

Let’s talk about the activity component first. Communication between activity components is through Intent, which displays a visual interface for user operations. An Android application must be run and started through the activity component. Although Applications are independent of each other, they can communicate, call, access, etc. through the activity component in the app. The activity component of the app is as follows:

Pass Analysis of the apk shows that its entry activity component is com.meiyou.pregnancy.ui.welcome.WelcomeActivity. The app calls other activity components when it starts. When the activity component can be exported, it can be called arbitrarily by a third-party app. , the leakage of sensitive information may also be subject to risks such as authentication bypass, malicious code injection, and page hijacking.

BroadcastReceive allows the application to filter external events and only receive and respond to required events. It has no user interface, but it can start an activity. or service to respond to the received information, allowing communication between different components or different applications. When the app is started for the first time, the system will automatically instance NotificationProxyBroadcastReceiver and register it in the system. A logout operation is required when registering a dynamic broadcast, otherwise memory leaks may occur; repeated registration or logout is not allowed.

Service service is a background service. When using service service, it needs to be declared in AndroidManifest.xml. The apk for this test is declared as follows in AndroidManifest.xml,

Service is independent of the activity component and performs some operations in the background. For example, when you need to obtain data from the server regularly, you need to use service at this time.

In addition to the security vulnerabilities in the four major components, various web vulnerabilities will also appear when calling the web interface, such as sql injection vulnerabilities, xss vulnerabilities, override, unauthorized and other related vulnerabilities. The screenshot is from an app http request data packet, and through testing it was found that the post data packet contains a vulnerability of unauthorized access. You can use a certain parameter to view other people's account information without authorization.

In short, there are many places where app vulnerabilities may appear, and there are many places worthy of our attention, such as whether the data is encrypted during transmission and whether the data is stored locally. Whether it is encrypted, whether it is safe to start the activity component by intent, etc.

3 Security Suggestions

With so many apps, as ordinary users, it is still impossible for users to perform security checks on the apps. So how should we prevent personal information from being leaked due to the apps?

l First of all, it is recommended to download the app through regular channels to prevent the downloaded app from being modified and compiled and not the original application;

l If there are no special requirements, it is not recommended to root the phone;

When installing an application, please pay attention to its required open permissions and turn off unnecessary permissions, such as location information, reading mobile phone contacts, etc.

l can be installed on your phone Appropriate anti-virus software, regularly scan and clean up useless software, program packages, etc.;

l Regularly upgrade relevant apps to fix bugs in old versions.

The above is the detailed content of How to briefly discuss the security issues of APP. For more information, please follow other related articles on the PHP Chinese website!