Tencent Cloud's security assessment is built for apps based on Tencent's years of accumulation in anti-attack and anti-penetration technologies to comprehensively assess apps while ensuring the security of app assessment data.
Source code security
Complete security detection is conducted against the possible decompilation and cracking risks with the source code of an app to avoid potential leakage of core business logic caused by leakage of source code.
Once released, an app runs in complex and diverse environments; attackers can use simulation, dynamic injection, dynamic debugging, memory reading and various known and unknown vulnerabilities to attack the app. Therefore, the app's own anti-attack capabilities are crucial and eliminating excessive source code risks and potential vulnerabilities is an important guarantee for app security.
Comprehensive security detection is performed in aspects such as the processing and storage of various data by an app and residual violating information, including security assessment of 18 items such as password storage in plaintext, insecure use of encryption methods, database injection vulnerabilities and digital certificates in plaintext.
A comprehensive automated risk detection and vulnerability analysis is conducted around the network communication between app client and server in aspects such as sensitive data transmission, server authentication and certificate verification involved in the communication process.
Security assessment and analysis is performed in the interface interaction process of an app, where various risks may exist such as screen hijacking, input listening and fragment injection vulnerabilities, helping avoid sensitive information leakage due to malicious behaviors.
An app requires authentication in many cases, including account, server and app signature authentication and collaborative authentication in various payment and transfer scenarios. In these authentication links, the app is checked for risks such as certificate storage in plaintext and certificate verification vulnerabilities.
Malicious code scanning
A comprehensive malicious code scan is performed for an app to ensure that the app does not have malicious code in the development, packaging and SDK integration phases and there are no threats such as backdoors and trojans if the app is outsourced for development.
Custom sensitive word detection
An app can be screened for sensitive words in terms of sensitive information and legal compliance, which helps avoid the risks to the app or even the brand caused by the intentional and unintentional residual information in the app.