Specific embodiment
In being described below, for illustration and not for limitation, the tool of such as particular system structure, technology etc is proposed
Body details, to understand thoroughly the embodiment of the present invention.However, it will be clear to one skilled in the art that there is no these specific
The present invention also may be implemented in the other embodiments of details.In other situations, it omits to well-known system, device, electricity
The detailed description of road and method, in case unnecessary details interferes description of the invention.
In order to illustrate technical solutions according to the invention, the following is a description of specific embodiments.
Fig. 1 shows the implementation process of the test method of mobile application provided in an embodiment of the present invention, this method process packet
Include step S101 to S105.The specific implementation principle of each step is as follows:
S101: application installation package is run in system simulator, and application to be tested is installed in the system simulator.
In the embodiment of the present invention, system simulator includes Android simulator, iOS simulator and about all kinds of mobile terminals
The simulator etc. of operating system.System simulator is equal to a void for simulating to the operating system of mobile terminal
Quasi- mobile terminal desktop, so that user is able to carry out in system simulator and it can be executed in mobile terminal operating system
Same operation.
For preset system simulator, the application installation package received is imported in the system simulator, and is being detected
When the selection issued to user to the application installation package instructs, operation processing is carried out to the application installation package, obtains being installed on and is
Application to be tested in system simulator.Wherein, above-mentioned application to be tested is that the shifting of security breaches processing is executed needed for developer
Dynamic application, application installation package are uploaded by the client connected in advance and are obtained, can also pre-saved by user in Android simulator
In affiliated local terminal.
S102: it is requested according to the Remote desk process that client issues, the system simulator is enabled to build with the client
Vertical communication connection.
By the plug-in unit based on SPICE protocol, start remote desktop function, externally to provide Remote desk process service.
In the embodiment of the present invention, if the Remote desk process request of client sending is received, to the user account information of client
Carry out legitimacy verifies.Property verification if legal passes through, then responds to Remote desk process request, and establishes with client
Communication connection.Property verification if legal does not pass through, then refusal is established with the client and communicated to connect.
S103: it obtains the test that the client issues the application to be tested and instructs, and trigger and refer to the test
Enable corresponding manipulation event.
In the embodiment of the present invention, above-mentioned client runs on user terminal.After establishing communication connection with client, it will wrap
The remote desktop of the simulator containing above system is showed in the display interface of client owning user terminal.Therefore, based on checking
The interface information arrived, the application execution items to be tested control operation that user can in the client run remote desktop, with
Generate corresponding every test instruction.
In the embodiment of the present invention, the test instruction that client treats test application sending is obtained.It is patrolled according to preset code
Volume, triggering manipulation event corresponding with each test instruction.For example, if the test that is used for for detecting that client issues logs in behaviour
Make whether normally test instruction, then triggers corresponding login event.
As an embodiment of the present invention, Fig. 2 shows the test methods of mobile application provided in an embodiment of the present invention
The specific implementation flow of S103, details are as follows:
S1031: obtaining the touch parameter that the client uploads, and the touch parameter is based on the client and is captured
Touch control gesture generate.
In the embodiment of the present invention, user terminal belonging to client is the terminal device comprising touch screen.By in touch-control
The system simulator of remote desktop is shown in screen, user can be clicked using all kinds of touch control gestures chooses application to be tested
In any control, and input about choose control operating parameter.Client according to the control that detects choose instruction and
Operating parameter is uploaded after being converted into corresponding touch parameter.Therefore, it is connected by telecommunication, can receive and arrive
The touch parameter uploaded from the client.
Illustratively, above-mentioned touch parameter can be control coordinate value and control of the user selected in terminal interface
Moving distance etc..
S1032: the system type of the system simulator is obtained.
In the embodiment of the present invention, the system type of system simulator includes the classes such as Android, iOS, windows and miui
Type.Under installation directory corresponding to system simulator, searches and describe file with the associated installation of the system simulator.To installation
The preset field of correspondence system type is read out in description file, to determine system mould according to the attribute value of the preset field
The system type of quasi- device.
S1033: with the matched function library of the system type, the touch-control is parsed by preset mapping algorithm and is joined
Number obtains the handling function corresponding to the touch parameter.
Each system type and a preset function storehouse matching.Therefore, according to the system mould determined in above-mentioned S1032
The system type of quasi- device, obtains and the matched function library of the system type.It include pre-stored multiple operation letters in function library
Number.Wherein, each handling function is for calling corresponding part logical code, and then realizes a corresponding system function.
In the embodiment of the present invention, parsed by the touch parameter that preset mapping algorithm uploads client, with base
In all kinds of parameter values that the touch parameters such as control coordinate value and control moving distance are included, from the function library determined,
Search the handling function of the corresponding touch parameter.Above-mentioned mapping algorithm is used to indicate the mapping between touch parameter and handling function
Relationship.
Illustratively, if touch parameter includes icon control A, in above-mentioned function library, according to the control of icon control A
Mark, find out include in logical code the control mark handling function;If touch parameter includes the movement of icon control A
Distance a, then the remote desktop distance value b mapped according to moving distance institute's equal proportion, finding out includes this in logical code
The handling function of remote desktop distance value b.
S1034: generating the test instruction based on the handling function, and in the system simulator, triggering with it is described
Test instructs corresponding manipulation event.
Since handling function is for calling its corresponding part logical code, in order to which its logical code is converted to
The executable instruction that machine can be distinguished generates the test instruction based on aforesaid operations function.
Preferably, multiple if detecting that handling function corresponding to touch parameter has, multiple handling functions are tied
After conjunction, the test instruction for being associated with above-mentioned multiple handling functions is generated.For example, if the handling function found out includes for icon
Control A carries out mobile handling function and the handling function for translating 50 pixel distances, then generates and be based on this two
The test of handling function instructs, so that test instruction is for translating 50 pixels for icon control A.
In the embodiment of the present invention, system simulator is enabled to execute the test instruction of above-mentioned generation, is referred to triggering the corresponding test
The manipulation event of order.
In the embodiment of the present invention, the touch parameter uploaded by obtaining the client, and pass through preset mapping algorithm
It parses corresponding handling function, and then generates the test instruction based on handling function, ensure that user only need to be at it
Touch control operation is executed in the display interface of mobile terminal, system simulator just can be automatically generated according to the system type of itself
And corresponding test instruction and manipulation event are executed, this improves the test flexibilities of mobile application, and avoiding user needs
Will be under different test scenes, manually input meets different instruction and writes the test instruction of specification, therefore also reduces movement
The cumbersome degree of the test of application.
S104: scan request is issued to the web-page interface for being associated with the manipulation event, the scan request is for request pair
The logic loophole of the web-page interface is detected.
During developing all kinds of mobile applications, event is manipulated for each single item that mobile application allows to execute,
A corresponding bottom web interface can be provided, so that it is docked with the server of external third-parties.Therefore, according to exploitation
The logical code that personnel pre-enter, determines web interface associated with currently performed manipulation event, and to determining
Web interface issue scan request, to detect the web interface with the presence or absence of logic loophole.
Illustratively, if test instruction detected by system simulator is the operational order for submitting goods orders,
Commodity payment events are then triggered, at this point, being grabbed by preset bottom web request, are identified corresponding with commodity payment events
Web interface (for example, identifying mating interface address etc. provided by third party's shopping platform server).Therefore, for identification
The obtained web interface executes scan request, to detect in the web interface with the presence or absence of logic loophole.
As a specific implementation example of the invention, the detection process of logic loophole includes: acquisition and scan request pair
The parameter return value answered, and extract interface parameters included in the parameter return value;Load risk corresponding with the web interface
Rule of judgment;Whether the interface parameters that Detection and Extraction obtain meets above-mentioned risk judgment condition;If testing result is yes, it is determined that
There are the attacks of logic loophole.
Wherein, above-mentioned risk judgment condition includes but is not limited to: 1) sum for the interface parameters that parameter return value is included
It is different from preset number of parameters;2) the parameter type parameter corresponding with web interface of the interface parameters currently detected
Type is different;3) user account associated by interface parameters is different from user account entrained by scan request.
Illustratively, if Current Scan requests called web interface to be mainly used for inquiring goods orders number, order price
And serial number these three parameters, then it should include three interface parameters in the parameter return value of the scan request, if practical prison
The number of the interface parameters measured is four, it is determined that above-mentioned risk judgment condition 1) it sets up.
In the embodiment of the present invention, when any of the above-described risk judgment condition is set up, the risk judgment condition of the establishment is made
It is returned for scanning response message.
S105: based on the scanning response message received, the corresponding test result of the web-page interface is exported.
In the embodiment of the present invention, if the scanning corresponding information received is non-null value, it is determined that there are any risk judgments
Condition is set up, at this point, the corresponding test result of output web interface is that there are logic loophole risks;If the scanning received is corresponding
Information is null value, it is determined that each risk judgment condition is invalid, therefore export the corresponding test result of web interface be there is no
Logic loophole risk.
In the embodiment of the present invention, by installing mobile application to be tested in system simulator, user can utilize its visitor
Family end connects system simulator in a manner of remote desktop, and then all kinds of manipulation events are simulated in the system simulator, so that
Web page associated by mobile application is no longer only limitted in the client of mobile device, it is thereby achieved that user need not prepare
Mobile terminal and the test operation to mobile application need not can be also executed, therefore is reduced in the case where bottom plug-in unit erroneous for installation
The difficulty of test of mobile application improves test flexibility.Corresponding manipulation event is instructed by triggering test, is manipulated to association
The web interface of event issues scan request, and ensure that can grab preset bottom web request, realize web interface
Automatic identification, therefore, the embodiment of the present invention also improves the testing efficiency of mobile application.
As another embodiment of the invention, as shown in figure 3, after above-mentioned S103, further include step S106 and
S107;It further include S108 and S109 after above-mentioned S105.The realization principle of each step is specific as follows:
S106: the test parameter with the manipulation event correlation is obtained.
In the embodiment of the present invention, the test parameter with manipulation event correlation includes the triggered time of manipulation event, manipulation control
Part mark, manipulation related parameters during manipulation such as duration and response time.Detect it is any test refer to
After the completion of enabling corresponding manipulation event, in preset log storage path, journal file corresponding with the manipulation event is obtained,
And extract associated every test parameter.
S107: according to the trigger sequence of the manipulation event, successively by each manipulation event and the test parameter
Corresponding relationship be recorded in preset information table.
Detect that multiple manipulation events are triggered in preset duration, then according to the elder generation in the triggered time of each manipulation event
Sequence afterwards, is ranked up each manipulation event.Each manipulation event and its corresponding test parameter are recorded in presupposed information
In the same record information of table, and make the triggered time earlier record information sorting belonging to manipulation event in the upper of information table
Side.
S108: if detecting, the corresponding test result of the web-page interface is abnormal for test, by the information table, really
Make the manipulation event of the last typing.
In the embodiment of the present invention, if detect the corresponding test result of the web-page interface be there are logic loophole risk,
Then determine that current test is abnormal.At this point, the above-mentioned pre-generated information table of load.According to the system time at current time, at this
In information table, the smallest record information of difference in triggered time and system time is found out, and right to the record information institute
The manipulation event answered is read out, then the manipulation event is the manipulation event of the last typing.
S109: it based on the test parameter corresponding to the manipulation event, the retriggered manipulation event, and returns and holds
The step of row web-page interface to the association manipulation event issues scan request.
In the above-mentioned record information that information table is found out, survey corresponding to the manipulation event of the last typing is read
Try parameter.Since test parameter includes the parameters information of relevant manipulation event, it is based on parameters information, it is raw
At the matched test instruction of manipulation event institute.By executing above-mentioned test instruction, the triggering again to the manipulation event is realized.
In the embodiment of the present invention, after the manipulation event of retriggered the last time institute's typing, returns and execute above-mentioned steps
S104, to re-emit scan request to the web interface for being associated with the manipulation event.
In the embodiment of the present invention, the corresponding relationship of each manipulation event and its test parameter is recorded in by successively default
Information table in, realize the recording to every manipulation event performed by user processing.Detecting that it is different that test process occurs
Chang Shi, the information table obtained according to previous record sequentially execute the last manipulation event recorded, ensure that user in nothing
Identical test parameter need to be repeatedly input, without being carried out in the case where clicking the operation such as selection by hand, system simulator also according to
It is so able to achieve the automatic test effect of mobile application, this improves the testing efficiencies of mobile application.
As another embodiment of the invention, Fig. 4 shows the test side of mobile application provided in an embodiment of the present invention
The implementation process of method.As shown in figure 4, after above-mentioned S102, further includes:
S110: legitimacy verifies are carried out to the account information of the client, and create an account login when verifying successfully
Session.
In the embodiment of the present invention, in the Remote desk process request for receiving client sending, remote desktop is parsed
Account information entrained by connection request.Wherein, account information includes account identification and account password.
Based on preset authorization access list, legitimacy verifies are carried out to above-mentioned account information.It is wrapped in authorization access list
Contain each legal account identification and the corresponding account password of each legal account identification for licensing the mobile application.It is right
In account identification and account password that active client is uploaded, if the account is identified as legal account identification, and the account
Account cipher key match corresponding to password and the legal account identification, it is determined that current account information passes through legitimacy verifies, touching
Send out the log-in events about account information.At this point, the Account Logon session of creation and client associate, and according to manipulation event
Triggered time sequence, will be in the above-mentioned preset information table of every test parameter typing associated by the log-in events.
S111: it if detecting the Account Logon conversation, in the preset information table, obtains the last
The triggered time of log-in events.
Every preset time interval, detecting the above-mentioned Account Logon session created whether there is session connection.It is in office
At one moment, if detecting Account Logon session, there is no session connections, it is determined that Account Logon session is interrupted.At this point, right
The information table of the above-mentioned corresponding relationship comprising each manipulation event and test parameter is loaded.
Optionally, according to the default mark of log-in events, the record letter comprising the default mark is found out in information table
It ceases, and the triggered time of a record information of wherein typing at the latest is determined as to the triggered time of the last log-in events.
Optionally, the account information according to associated by above-mentioned login time finds out in information table and believes comprising the account
The record information of breath, and the triggered time of a record information of wherein typing at the latest is determined as the last log-in events
Triggered time.
S112: the N number of manipulation event recorded before the triggered time is determined, and according to corresponding described
Test parameter sequentially executes N number of manipulation event and the log-in events;Wherein, the N is the preset value greater than zero.
In the embodiment of the present invention, since the arrangement order that every terms of information records in information table is with its corresponding triggered time
For foundation, therefore after the triggered time for determining the last log-in events based on above-mentioned steps S111, can filter out in the touching
N information of institute's typing records before sending out the time.To each information record filtered out, the manipulation event corresponding to it is read
And test parameter, and it is based on the test parameter, retriggered is carried out to the manipulation event.
After the completion of the corresponding manipulation event of each information record filtered out triggers, triggered again about above-mentioned
The log-in events of account information.
The embodiment of the present invention is suitable for the web interface scanning process of application to be tested, there are the unauthorized access of user
Under the case where operating and login sessions is caused to interrupt, for example, user continues to execute other behaviour after the completion of log-in events
Control event, but the illegal page may be accessed because of certain neglectful operations, then its user account will be forced to publish,
Thus there is login sessions interruption.However, in mobile application, due to many application functions to be tested often require with
Family can execute after executing register, therefore in the embodiment of the present invention, the moment keeps the detection to account login sessions, as long as
It detects that current account login sessions interrupt, then web scanning no longer is carried out to manipulation event performed by user, but according to pre-
All kinds of test parameters first recorded come after restoring log-in events automatically, unfinished web scanning before just continuing to execute.Cause
This, avoid causes web interface to scan the problem of interrupting because the account of user is published, therefore improves the test of mobile application
Efficiency and measuring stability.
As an embodiment of the present invention, Fig. 5 shows the test method of mobile application provided in an embodiment of the present invention
Another specific implementation flow of S103, details are as follows:
S1034: if receiving the application logging request that the client issues, it is based on preset logic Hole Detection point
Trigger safety detection event.
S1035: the corresponding testing result of the safety detection event is obtained.
S1036: if the testing result is that there are logic loophole risks, to described using use associated by logging request
Family account executes account and publishes operation, and the user account is labeled as abnormality.
In web interface associated by log-in events, the point code that buries for triggering safety detection event is added in advance, then
It is logic Hole Detection point that this, which buries point code,.Wherein, safety detection event is used for the application logging request for judging to be currently received
Whether logic loophole risk is carried.
If user needs the login function of mobile application to be tested using its client, will receive client
Hold the application logging request issued.At this point, being based on above-mentioned preset logic Hole Detection point, safety detection event is triggered.
In the embodiment of the present invention, if the corresponding feedback result of current safety detecting event be there are logic loophole risk,
Account is carried out to user account associated by application logging request and publishes operation.If the corresponding feedback knot of current safety detecting event
Fruit is that there is no logic loophole risks, then keeps current Account Logon session, and proceed to respond to the subsequent behaviour that user is triggered
Control event.
In the embodiment of the present invention, by the application logging request about above-mentioned log-in events for receiving client sending
When, it is based on preset logic Hole Detection point, automatic trigger safety detection event and corresponding feedback result can be obtained;By
Feedback result is to carry out forcing to publish processing to the source user account of application logging request, protect there are when logic loophole risk
It has demonstrate,proved under the case where attack occurs, attacker can not also patrol the follow-up business process except its extent of competence
Attack test is collected, therefore realizes Prevention-Security to a certain extent, thus also improves the safety of mobile application.
It should be understood that the size of the serial number of each step is not meant that the order of the execution order in above-described embodiment, each process
Execution sequence should be determined by its function and internal logic, the implementation process without coping with the embodiment of the present invention constitutes any limit
It is fixed.
Corresponding to the test method of mobile application described in foregoing embodiments, Fig. 6 shows provided in an embodiment of the present invention
The structural block diagram of the test device of mobile application.For ease of description, only parts related to embodiments of the present invention are shown.
Referring to Fig. 6, which includes:
Running unit 61 is installed for running application installation package in system simulator, and in the system simulator
Application to be tested.
Connection unit 62, the Remote desk process request for being issued according to client, enables the system simulator and institute
It states client and establishes communication connection.
First acquisition unit 63 is instructed for obtaining the test that the client issues the application to be tested, and is touched
Send out manipulation event corresponding with the test instruction.
Request unit 64, for issuing scan request, the scan request to the web-page interface for being associated with the manipulation event
For requesting the logic loophole to the web-page interface to detect.
Output unit 65, for exporting the corresponding test knot of the web-page interface based on the scanning response message received
Fruit.
Optionally, the test device of the mobile application further include:
Second acquisition unit, for obtaining the test parameter with the manipulation event correlation.
Recording unit, for the trigger sequence according to the manipulation event, successively by each manipulation event and described
The corresponding relationship of test parameter is recorded in preset information table.
Determination unit, if for detecting that the corresponding test result of the web-page interface is abnormal for test, by described
Information table determines the manipulation event of the last typing.
Return unit, for based on the test parameter corresponding to the manipulation event, the retriggered manipulation event,
And it returns and executes described the step of issuing scan request to the web-page interface for being associated with the manipulation event.
Optionally, the test device of the mobile application further include:
Verification unit carries out legitimacy verifies for the account information to the client, and creates when verifying successfully
Account Logon session.
Third acquiring unit, if for detecting the Account Logon conversation, in the preset information table,
Obtain the triggered time of the last log-in events.
Execution unit, for determining the N number of manipulation event recorded before the triggered time, and according to right
The test parameter answered sequentially executes N number of manipulation event and the log-in events.
Wherein, the N is the preset value greater than zero.
Optionally, the first acquisition unit 63 includes:
First obtains subelement, and the touch parameter uploaded for obtaining the client, the touch parameter is based on described
The touch control gesture that client is captured generates.
Second obtains subelement, for obtaining the system type of the system simulator.
Parsing subunit, for being parsed by preset mapping algorithm with the matched function library of the system type
The touch parameter obtains the handling function corresponding to the touch parameter.
Subelement is generated, for generating the test instruction based on the handling function, and in the system simulator, touching
Send out manipulation event corresponding with the test instruction.
Optionally, the first acquisition unit 63 includes:
Subelement is triggered, if the application logging request issued for receiving the client, is based on preset logic
Hole Detection point triggers safety detection event;
Third obtains subelement, for obtaining the corresponding testing result of the safety detection event.
Subelement is marked, if being to apply logging request to described there are logic loophole risk for the testing result
Associated user account executes account and publishes operation, and the user account is labeled as abnormality.
Fig. 7 is the schematic diagram for the terminal device that one embodiment of the invention provides.As shown in fig. 7, the terminal of the embodiment is set
Standby 7 include: processor 70, memory 71 and are stored in the meter that can be run in the memory 71 and on the processor 70
Calculation machine program 72, such as the test program of mobile application.The processor 70 is realized above-mentioned when executing the computer program 72
Step in the test method embodiment of each mobile application, such as step 101 shown in FIG. 1 is to 105.Alternatively, the processing
Device 70 realizes the function of each module/unit in above-mentioned each Installation practice when executing the computer program 72, such as shown in Fig. 6
The function of unit 61 to 65.
Illustratively, the computer program 72 can be divided into one or more module/units, it is one or
Multiple module/units are stored in the memory 71, and are executed by the processor 70, to complete the present invention.Described one
A or multiple module/units can be the series of computation machine program instruction section that can complete specific function, which is used for
Implementation procedure of the computer program 72 in the terminal device 7 is described.
The terminal device 7 can be the calculating such as desktop PC, notebook, palm PC and cloud server and set
It is standby.The terminal device may include, but be not limited only to, processor 70, memory 71.It will be understood by those skilled in the art that Fig. 7
The only example of terminal device 7 does not constitute the restriction to terminal device 7, may include than illustrating more or fewer portions
Part perhaps combines certain components or different components, such as the terminal device can also include input-output equipment, net
Network access device, bus etc..
Alleged processor 70 can be central processing unit (Central Processing Unit, CPU), can also be
Other general processors, digital signal processor (Digital Signal Processor, DSP), specific integrated circuit
(Application Specific Integrated Circuit, ASIC), ready-made programmable gate array (Field-
Programmable Gate Array, FPGA) either other programmable logic device, discrete gate or transistor logic,
Discrete hardware components etc..General processor can be microprocessor or the processor is also possible to any conventional processor
Deng.
The memory 71 can be the internal storage unit of the terminal device 7, such as the hard disk or interior of terminal device 7
It deposits.The memory 71 is also possible to the External memory equipment of the terminal device 7, such as be equipped on the terminal device 7
Plug-in type hard disk, intelligent memory card (Smart Media Card, SMC), secure digital (Secure Digital, SD) card dodge
Deposit card (Flash Card) etc..Further, the memory 71 can also both include the storage inside list of the terminal device 7
Member also includes External memory equipment.The memory 71 is for storing needed for the computer program and the terminal device
Other programs and data.The memory 71 can be also used for temporarily storing the data that has exported or will export.
It, can also be in addition, each functional unit in each embodiment of the application can integrate in one processing unit
It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list
Member both can take the form of hardware realization, can also realize in the form of software functional units.
If the integrated unit is realized in the form of SFU software functional unit and sells or use as independent product
When, it can store in a computer readable storage medium.Based on this understanding, the technical solution of the application is substantially
The all or part of the part that contributes to existing technology or the technical solution can be in the form of software products in other words
It embodies, which is stored in a storage medium, including some instructions are used so that a computer
Equipment (can be personal computer, server or the network equipment etc.) executes the complete of each embodiment the method for the application
Portion or part steps.And storage medium above-mentioned include: USB flash disk, mobile hard disk, read-only memory (Read-Only Memory,
ROM), random access memory (Random Access Memory, RAM), magnetic or disk etc. are various can store program
The medium of code.
The above, above embodiments are only to illustrate the technical solution of the application, rather than its limitations;Although referring to before
Embodiment is stated the application is described in detail, those skilled in the art should understand that: it still can be to preceding
Technical solution documented by each embodiment is stated to modify or equivalent replacement of some of the technical features;And these
It modifies or replaces, the spirit and scope of each embodiment technical solution of the application that it does not separate the essence of the corresponding technical solution.