Mobile application testing (6) - App Testing Technology (4)

App Special tests — Security testing

Whether the installation package decompiles the code

After we publish the mobile application, the end user will get an installation package . What we need to pay attention to is whether users can get the source code of the project from this installation package . Why do you pay attention to the source code leakage problem ？ In addition to protecting the company's intellectual property , And security considerations . Once the source code is leaked , The security risk is still very high .

In the test , How to deal with various decompilations , Developers often confuse code , It is difficult to understand the source code generated by decompiled software . The usual decompilation method for testers is to make dex2jar Tools and jd-gui Tools to view source code .

• Is the installation package signed

This point iOS The platform may not have to be considered , because iOS Every one of App There is a formal release certificate to sign , When released to App Store when ,App Store Can be verified , Ensure that the App It is released by legitimate developers . about Android Come on , Due to various release channels , There is no such authoritative inspection , We need to verify the signature before publishing key Whether it is right , To prevent problems such as being overwritten by malicious third-party applications .

• Check permission settings

Some users are very sensitive to privacy issues on their mobile phones . So we need to be right about App Check the need to apply for certain permissions , For example, access the address book 、 Call recording, etc . There is no necessary permission for , It is generally recommended to develop direct removal .

• Sensitive information testing

（1） Whether the database stores sensitive information . Most of today's mobile App Will use the database . If sensitive information is stored in the database , Once the user's mobile phone is acquired by others , This may lead to the disclosure of users' privacy . In particular, some applications will cookie Class data is stored in the database . Once this data is obtained by others , It may cause serious problems such as user account theft . So as a tester , It is necessary to understand the meaning of each database field , And evaluate the possible safety problems , It can also be suggested that the development of cookie Set a reasonable expiration time for class data .

（2） Whether there is sensitive information in the log . In general , Development is in the process of developing software , Logs will be added to help debug , But some logs may write some sensitive information . Therefore, as a tester, you should check whether the Key log has been revoked by the software product before the software is launched . Ensure the important information security of users .

（3） Whether there is sensitive information in the configuration file . Similar to logs , We need to check whether the configuration file contains sensitive information .

（4） Soft keyboard hijacking . If the user has installed a third-party soft keyboard , When the user uses a third-party soft keyboard to input some sensitive information , The input may be intercepted by a third-party soft keyboard . If the third-party soft keyboard contains malicious code , It may cause the leakage of user data and cause the loss of users . Regarding this , As a tester, you have to check in particularly sensitive places that need input , Such as finance App The user name and password can be entered by using the soft keyboard in the application .

• Account security test

（1） Whether the password is stored in the background database in clear text

（2） Password in UI Whether the interface uses hidden text input

（3） Account locking strategy , Whether to make a temporary lock when the account is entered incorrectly for many times

（4） At the same time, whether the session makes a restricted login operation ： For example, an account can only be logged in on one device , When logging in to another account , Prompt “ Your account is logged in at another location ”

（5） Cancellation mechanism , After the customer logs out , To ensure that any interface call that requires authentication by users cannot succeed .

• Data communication security test

（1） Whether key data is encrypted , For example, password

（2） Whether the critical connection uses secure communication , for example HTTPS

（3） Whether the validity of the digital certificate has been verified

（4） Whether the interface is added code Authentication mechanism

• Server interface security test

（1）SQL Inject

SQL The steps of Injection

a) Look for the injection point ( Such as ： Login screen 、 Message board, etc )

b) Users construct their own SQL sentence ( Such as ：’or 1=1#, It will be explained later )

c) take sql Statement to the database management system (DBMS)

d) DBMS Receiving request , And interpret the request into machine code instructions , Perform necessary access operations

e) DBMS Accept the returned result , And deal with , Return to the user

（2）XSS Cross-site scripting attacks

（3）CSRF Cross-site request forgery

APP Special tests —— interfere / Interrupt test

On the user's mobile phone App When , There will be some interruptions , For example, I received a phone call while browsing the page, etc . If the development code is not well written , Will cause us to App Some abnormal behavior occurs . So when testing, we should test various scenarios ：

（1） Got a call

（2） Received text messages

（3） Receive notification bar message

（4） The low power prompt box pops up

（5） The prompt box of the third-party security software pops up

（6） Too little free storage space

（7） No, SD Card situation

（8） Flight Mode

（9） Run out of electricity

（10） Loss of signal

The above scenarios should be in the corresponding App Test under function . So as to ensure the software quality

Android Application life cycle

APP Test special test —— Performance testing

App The performance of the client itself is a very important aspect that affects the user experience , There are many contents , for example CPU、 Memory usage , Although this aspect of the user can not experience , But as a tester , Performance is also an issue we need to focus on , Because in case of memory leakage and other problems , If it is light, it will affect App Operation performance of , If it is serious, it will cause a memory alarm , Program crash .

App Performance concerns ：

Whether the memory leaks 、 Starting time 、 User response 、 Graphic animation 、 Documents and networks I/O etc. （ tencent GT/ Netease's Emagee）

APP Special test —— Gray scale test

Gray scale test means that if the software is to launch a new function in the near future , Or make a major revision , A small-scale trial work should be carried out first , And then slowly , Until this new function covers all system users , In other words, there is a gray between the black and white of the new function line , So this method is also called gray scale test . Similar to what we usually call internal test .

Gray scale test is to take out one's own products first and use them for a part of the target population , Modify some deficiencies of the product through their use results and feedback , Make sure to check and make up for the missing , Improve the function of the product , Improve the quality of the products . In this way, the early contact with users can lay a foundation for the official release of products in the future .

Definition ： Gray scale test , Before a product or application is officially released , Choose a specific group of people to try , Gradually expand the number of its probationers , In order to find and correct the problems in time .

Grayscale period ： The period from the beginning to the end of the grayscale test , It's called grayscale .

（ To be continued …）