Takeaway O2O App security analysis: the App vulnerability assessment platform technical details-vulnerability warning-the black bar safety net

ID MYHACK58:62201567214
Type myhack58
Reporter 佚名
Modified 2015-09-21T00:00:00


In the mobile Internet and O2O tide swept under, the takeaway market is gradually entering the white-collar field, at BAT three giants throwing money to cultivate the market, white-collar workers have to change eating habits. As long as it is imprisoned in the white collar does not substantially to the periphery of the district Shopping Center eating habits. Plus this summer is relatively hot. According to the authoritative data analysis: ! Well, this market in the end how much, at present, according to media disclosure, the United States mission takeaway 2 0 1 5 first half of the year performance: 42.5 billion. If you follow the 1/4 the market is calculated, then, the takeaway market 2 0 0 billion RMB. No wonder the BAT to seize this market, of course, analyze the user's eating habits is their another purpose. We then look at the Chinese takeout O2O granddaddy hungry financing. ! 2 0 1 5 year 8 month accounted for a market share of 3 8. 7 5%, the cumulative investment of about 1 0 million dollars. Then, we are concerned that such a large investment, the real use of the IT infrastructure above and service system construction investment is how much? Business system set up, the specific security investment? If the follow comes to the IT infrastructure of the business system set up accounted for more than 1% of the total investment amount is calculated, that security put us above the IT investment of the 1%, then it is safe quite 1 0 million dollars of investment. However, if you are a geek, of course, is want to client-side vulnerabilities using Scrapy to crawl out about every day how many single, every single earn much money. Storage to Mongodb, and then use a python script to write the maximum number reported, with the data speak, we all believe, huh. Then based on the business systems App Security Assessment how to specifically do? The following description focuses on the bit. 0×0 1, App assessment methodology In fact, online there are many ways on the things, here I stood in a free assessment of the person's angle on analysis. First determine only the Android App APK for analysis, because the Android system is more open, the simulator is more, the business logic of ipa and Apk is the same. On the web online assessment Web sites abound, and in fact its App vulnerability assessment platform technologies are almost. ! An Android app to upload after the first to determine whether it can be reverse compiled. If you can, then you can analyze more data, including written in java source code. So how to judge is whether they can be decompiled? In fact, through a variety of embodiments, static analysis is the most direct and effective way, it is mainly the use of apktol, the dex2jar, jd-gui, smali2dex and other static analysis tools to reverse-compile, and the anti-compiled java files, xml files and other files for the static scan analysis Specific flow chart is as follows: ! Of course, if the anti-static the compile fails, you need a dynamic analysis method. Dynamic analysis technology is corresponding with the software installation, operation, process behavior monitoring and analysis. Detection of ways to use a virtual machine way through the build with the Android mobile phone terminal software Operating environment is almost the same as the virtual execution environment, the mobile applications which run independently from the outside world to observe the execution of the application process and dynamic, and thus the recording application may show malicious behavior. Finally, through virtual machine analysis online App program, you may encounter the simulator check and root detection, etc., or IMEI to identify the judgment, etc. advanced anti-debugging features, this time on the manual to Analysis, that is to say in real on your Android phone to install the App to the field of safety assessment. So, here we to the home gourmet sink App as a security assessment object assessment: (1)whether is anti-compile The test method comprising the use Apktool open source software development compiling IDE tool to test, Android killer/ ApkIDE change of management. As used herein, the Android killer。 ! From this figure it can be seen the apk is compiled into smali java virtual machine files, and then be decompiled into Java class source code. (2)The built-in components and external third-party SDK evaluation Through a java Decompiler to view the source code found: 2.1, the built-in components: Com. alibaba. fastjson Alibaba open source high performance JSON package com. android. volley Android the official communication framework Volley com. nostra13. universalimageloader open source image gallery to load. com. sina. sso Sina Weibo login SSO component com. squareup. okhttp efficient http client, network congestion) okio open source basic tools library Using the open source component packages, the benefits can improve development efficiency, but if it is open-source components a security concern, but so far the vulnerability database also none of the above components of the security issues. Then from time to time reminds me of last year AFNetworking Assembly when the trigger man in the middle attack cases. 2.2, third-party SDK components com. baidu. mapapi Baidu map com. baidu. android. pushservice Baidu message push service com. google. analytics google Analytics API let us know how the user with our application to interact with com. tencent access to Tencent openapi authentication and other functions com. umeng. analytics application statistical analysis So, outsourcing a third-party Assembly of the main search focus is APPKey, etc., may be exploited by hackers to: Friends of the Union: the meta-data android:name="UMENG_APPKEY" android:value="528187ac56240bee3803bc39" /> meta-data android:name="UMENG_CHANNEL" android:value="daojiaweb" /> Baidu push: can get to the push service key value and push messages and other information, by modifying the source code, so that developers interests are loss. service android:name="com. baidu. android. pushservice. CommandService" android:exported="true" /> meta-data android:name="referring" android:value="2qoGQfsfg5CcB9cU9PXHNBGX" /> Baidu map: meta-data android:name="com. baidu. lbsapi. REFERRING to" android:value="jGY5Ft6EuDv9gKWT9dg51UOl" /> (3)insecure data storage 3.1, The SharedPreferences

[1] [2] [3] [4] [5] [6] [7] [8] next