Back to Details

mobile-app-security-testing

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

移动应用安全测试

Mobile Application Security Testing

概述

Overview

移动应用安全测试是确保移动应用安全性的重要环节。本技能提供移动应用安全测试的方法、工具和最佳实践,涵盖Android和iOS平台。
Mobile application security testing is a critical step to ensure the security of mobile applications. This skill provides methods, tools, and best practices for mobile application security testing, covering both Android and iOS platforms.

测试范围

Testing Scope

1. 应用安全

1. Application Security

检查项目:
  • 代码混淆
  • 反编译防护
  • 调试防护
  • 证书绑定
Check Items:
  • Code Obfuscation
  • Decompilation Protection
  • Debugging Protection
  • Certificate Pinning

2. 数据安全

2. Data Security

检查项目:
  • 数据加密
  • 密钥管理
  • 敏感数据存储
  • 数据传输
Check Items:
  • Data Encryption
  • Key Management
  • Sensitive Data Storage
  • Data Transmission

3. 认证授权

3. Authentication & Authorization

检查项目:
  • 认证机制
  • Token管理
  • 生物识别
  • 会话管理
Check Items:
  • Authentication Mechanisms
  • Token Management
  • Biometric Authentication
  • Session Management

4. 通信安全

4. Communication Security

检查项目:
  • TLS/SSL配置
  • 证书验证
  • API安全
  • 中间人攻击防护
Check Items:
  • TLS/SSL Configuration
  • Certificate Validation
  • API Security
  • Man-in-the-Middle Attack Protection

Android安全测试

Android Security Testing

静态分析

Static Analysis

使用APKTool:
bash
undefined
Using APKTool:
bash
undefined

反编译APK

反编译APK

apktool d app.apk
apktool d app.apk

查看AndroidManifest.xml

查看AndroidManifest.xml

cat app/AndroidManifest.xml
cat app/AndroidManifest.xml

查看Smali代码

查看Smali代码

find app/smali -name "*.smali"

**使用Jadx:**
```bash
find app/smali -name "*.smali"

**Using Jadx:**
```bash

反编译APK

反编译APK

jadx -d output app.apk
jadx -d output app.apk

查看Java源码

查看Java源码

find output -name "*.java"

**使用MobSF:**
```bash
find output -name "*.java"

**Using MobSF:**
```bash

启动MobSF

启动MobSF

docker run -it -p 8000:8000 opensecurity/mobsf
docker run -it -p 8000:8000 opensecurity/mobsf

上传APK进行分析

上传APK进行分析

访问 http://localhost:8000

访问 http://localhost:8000

undefined
undefined

动态分析

Dynamic Analysis

使用Frida:
javascript
// Hook函数
Java.perform(function() {
    var MainActivity = Java.use("com.example.MainActivity");
    MainActivity.onCreate.implementation = function(savedInstanceState) {
        console.log("[*] onCreate called");
        this.onCreate(savedInstanceState);
    };
});
使用Objection:
bash
undefined
Using Frida:
javascript
// Hook函数
Java.perform(function() {
    var MainActivity = Java.use("com.example.MainActivity");
    MainActivity.onCreate.implementation = function(savedInstanceState) {
        console.log("[*] onCreate called");
        this.onCreate(savedInstanceState);
    };
});
Using Objection:
bash
undefined

启动Objection

启动Objection

objection -g com.example.app explore
objection -g com.example.app explore

Hook函数

Hook函数

android hooking watch class_method com.example.MainActivity.onCreate

**使用Burp Suite:**
```bash
android hooking watch class_method com.example.MainActivity.onCreate

**Using Burp Suite:**
```bash

配置代理

配置代理

Android设置代理指向Burp Suite

Android设置代理指向Burp Suite

安装Burp证书

安装Burp证书

undefined
undefined

常见漏洞

Common Vulnerabilities

硬编码密钥:
java
// 不安全的代码
String apiKey = "1234567890abcdef";
String password = "admin123";
不安全的存储:
java
// SharedPreferences存储敏感数据
SharedPreferences prefs = getSharedPreferences("data", MODE_WORLD_READABLE);
prefs.edit().putString("password", password).apply();
证书验证绕过:
java
// 不验证证书
TrustManager[] trustAllCerts = new TrustManager[] {
    new X509TrustManager() {
        public X509Certificate[] getAcceptedIssuers() { return null; }
        public void checkClientTrusted(X509Certificate[] certs, String authType) { }
        public void checkServerTrusted(X509Certificate[] certs, String authType) { }
    }
};
Hardcoded Keys:
java
// 不安全的代码
String apiKey = "1234567890abcdef";
String password = "admin123";
Insecure Storage:
java
// SharedPreferences存储敏感数据
SharedPreferences prefs = getSharedPreferences("data", MODE_WORLD_READABLE);
prefs.edit().putString("password", password).apply();
Certificate Validation Bypass:
java
// 不验证证书
TrustManager[] trustAllCerts = new TrustManager[] {
    new X509TrustManager() {
        public X509Certificate[] getAcceptedIssuers() { return null; }
        public void checkClientTrusted(X509Certificate[] certs, String authType) { }
        public void checkServerTrusted(X509Certificate[] certs, String authType) { }
    }
};

iOS安全测试

iOS Security Testing

静态分析

Static Analysis

使用class-dump:
bash
undefined
Using class-dump:
bash
undefined

导出头文件

导出头文件

class-dump app.ipa
class-dump app.ipa

查看头文件

查看头文件

find app -name "*.h"

**使用Hopper:**
```bash
find app -name "*.h"

**Using Hopper:**
```bash

使用Hopper反汇编

使用Hopper反汇编

打开app二进制文件

打开app二进制文件

分析汇编代码

分析汇编代码


**使用otool:**
```bash

**Using otool:**
```bash

查看Mach-O信息

查看Mach-O信息

otool -L app
otool -L app

查看字符串

查看字符串

strings app | grep -i "password|key|secret"
undefined
strings app | grep -i "password|key|secret"
undefined

动态分析

Dynamic Analysis

使用Frida:
javascript
// Hook Objective-C方法
var className = ObjC.classes.ViewController;
var method = className['- login:password:'];
Interceptor.attach(method.implementation, {
    onEnter: function(args) {
        console.log("[*] Login called");
        console.log("Username: " + ObjC.Object(args[2]).toString());
        console.log("Password: " + ObjC.Object(args[3]).toString());
    }
});
使用Cycript:
bash
undefined
Using Frida:
javascript
// Hook Objective-C方法
var className = ObjC.classes.ViewController;
var method = className['- login:password:'];
Interceptor.attach(method.implementation, {
    onEnter: function(args) {
        console.log("[*] Login called");
        console.log("Username: " + ObjC.Object(args[2]).toString());
        console.log("Password: " + ObjC.Object(args[3]).toString());
    }
});
Using Cycript:
bash
undefined

附加到进程

附加到进程

cycript -p app
cycript -p app

执行命令

执行命令

[UIApplication sharedApplication]
undefined
[UIApplication sharedApplication]
undefined

常见漏洞

Common Vulnerabilities

硬编码密钥:
objective
// 不安全的代码
NSString *apiKey = @"1234567890abcdef";
NSString *password = @"admin123";
不安全的存储:
objective
// Keychain存储不当
NSUserDefaults *defaults = [NSUserDefaults standardUserDefaults];
[defaults setObject:password forKey:@"password"];
证书验证绕过:
objective
// 不验证证书
- (void)connection:(NSURLConnection *)connection 
didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
    [challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] 
          forAuthenticationChallenge:challenge];
}
Hardcoded Keys:
objective
// 不安全的代码
NSString *apiKey = @"1234567890abcdef";
NSString *password = @"admin123";
Insecure Storage:
objective
// Keychain存储不当
NSUserDefaults *defaults = [NSUserDefaults standardUserDefaults];
[defaults setObject:password forKey:@"password"];
Certificate Validation Bypass:
objective
// 不验证证书
- (void)connection:(NSURLConnection *)connection 
didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
    [challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] 
          forAuthenticationChallenge:challenge];
}

工具使用

Tool Usage

MobSF

MobSF

bash
undefined
bash
undefined

启动MobSF

启动MobSF

docker run -it -p 8000:8000 opensecurity/mobsf
docker run -it -p 8000:8000 opensecurity/mobsf

上传应用进行分析

上传应用进行分析

支持Android和iOS

支持Android和iOS

undefined
undefined

Frida

Frida

bash
undefined
bash
undefined

安装Frida

安装Frida

pip install frida-tools
pip install frida-tools

运行脚本

运行脚本

frida -U -f com.example.app -l script.js
undefined
frida -U -f com.example.app -l script.js
undefined

Objection

Objection

bash
undefined
bash
undefined

安装Objection

安装Objection

pip install objection
pip install objection

启动Objection

启动Objection

objection -g com.example.app explore
undefined
objection -g com.example.app explore
undefined

Burp Suite

Burp Suite

配置代理:
  1. 配置Burp Suite监听器
  2. 移动设备设置代理
  3. 安装Burp证书
  4. 拦截和分析流量
Proxy Configuration:
  1. Configure Burp Suite listener
  2. Set up proxy on mobile device
  3. Install Burp certificate
  4. Intercept and analyze traffic

测试清单

Testing Checklist

应用安全

Application Security

  • 代码混淆检查
  • 反编译防护
  • 调试防护
  • 证书绑定
  • Code Obfuscation Check
  • Decompilation Protection
  • Debugging Protection
  • Certificate Pinning

数据安全

Data Security

  • 数据加密检查
  • 密钥管理
  • 敏感数据存储
  • 数据传输安全
  • Data Encryption Check
  • Key Management
  • Sensitive Data Storage
  • Data Transmission Security

认证授权

Authentication & Authorization

  • 认证机制测试
  • Token管理
  • 会话管理
  • 生物识别
  • Authentication Mechanism Testing
  • Token Management
  • Session Management
  • Biometric Authentication

通信安全

Communication Security

  • TLS/SSL配置
  • 证书验证
  • API安全测试
  • 中间人攻击防护
  • TLS/SSL Configuration
  • Certificate Validation
  • API Security Testing
  • Man-in-the-Middle Attack Protection

常见安全问题

Common Security Issues

1. 硬编码密钥

1. Hardcoded Keys

问题:
  • API密钥硬编码
  • 密码硬编码
  • 加密密钥硬编码
修复:
  • 使用密钥管理服务
  • 使用环境变量
  • 使用安全存储
Problem:
  • Hardcoded API keys
  • Hardcoded passwords
  • Hardcoded encryption keys
Fix:
  • Use key management services
  • Use environment variables
  • Use secure storage

2. 不安全的存储

2. Insecure Storage

问题:
  • 明文存储敏感数据
  • 使用不安全的存储方式
  • 数据未加密
修复:
  • 使用加密存储
  • 使用Keychain/Keystore
  • 实施数据加密
Problem:
  • Storing sensitive data in plaintext
  • Using insecure storage methods
  • Unencrypted data
Fix:
  • Use encrypted storage
  • Use Keychain/Keystore
  • Implement data encryption

3. 证书验证绕过

3. Certificate Validation Bypass

问题:
  • 不验证SSL证书
  • 接受自签名证书
  • 证书固定未实施
修复:
  • 实施证书固定
  • 验证证书链
  • 使用系统证书存储
Problem:
  • No SSL certificate validation
  • Accepting self-signed certificates
  • No certificate pinning implemented
Fix:
  • Implement certificate pinning
  • Validate certificate chain
  • Use system certificate store

4. 调试信息泄露

4. Debug Information Leakage

问题:
  • 日志包含敏感信息
  • 错误信息泄露
  • 调试模式未禁用
修复:
  • 移除调试代码
  • 限制日志输出
  • 生产环境禁用调试
Problem:
  • Logs contain sensitive information
  • Error information leakage
  • Debug mode not disabled
Fix:
  • Remove debugging code
  • Restrict log output
  • Disable debug mode in production

最佳实践

Best Practices

1. 代码安全

1. Code Security

  • 实施代码混淆
  • 禁用调试功能
  • 实施反调试保护
  • 使用证书绑定
  • Implement code obfuscation
  • Disable debugging features
  • Implement anti-debugging protection
  • Use certificate pinning

2. 数据安全

2. Data Security

  • 加密敏感数据
  • 使用安全存储
  • 实施密钥管理
  • 限制数据访问
  • Encrypt sensitive data
  • Use secure storage
  • Implement key management
  • Restrict data access

3. 通信安全

3. Communication Security

  • 使用TLS/SSL
  • 实施证书固定
  • 验证服务器证书
  • 使用安全API
  • Use TLS/SSL
  • Implement certificate pinning
  • Validate server certificates
  • Use secure APIs

4. 认证安全

4. Authentication Security

  • 实施强认证
  • 安全Token管理
  • 实施会话管理
  • 使用生物识别
  • Implement strong authentication
  • Secure token management
  • Implement session management
  • Use biometric authentication

注意事项

Notes

  • 仅在授权环境中进行测试
  • 遵守法律法规
  • 注意不同平台的差异
  • 保护用户隐私
  • Only conduct testing in authorized environments
  • Comply with laws and regulations
  • Note differences between platforms
  • Protect user privacy