mPaas online application detection

Introduction: mPaas online application detection

1. Background

As more and more financial industries build and launch new apps based on mPaas[1], the online quality of apps has also become the focus of various customers. What items to test before going online, how to test, and what test data indicators include have become the main directions of our thinking. Using the last time I went to XX rural credit customers to do online function testing, plus the pits that many previous mPaas historical projects have stepped on, the content of mPaas related testing before the App is launched is sorted and precipitated as follows.

2. Detection direction

2.1 Security

2.1.1 Whether to enable national secret encryption for RPC

Corresponding to financial apps, data communication security is very important. mPaas already supports three methods: ECC, RSA and SM2.
In the financial industry App, it is recommended to enable the encryption configuration as SM2 national secret encryption to meet industry regulatory requirements. For configuration, please refer to document [2].

2.1.2 Whether the offline package is enabled for signature verification

figure 1

In order to ensure the security of the offline package sent to the local, mPaas provides an offline package verification mechanism to ensure the security of the offline package. The overall schematic diagram is shown above, and the user setting process is as follows:

1. The developer configures a pair of public and private keys. The private key is placed on the server to sign the offline package, and the public key is placed on the client to verify the signature pair.
2. On the offline package publishing platform, if the signature private key is configured, the amr file issued by the platform will carry the signature information (the ciphertext obtained by encrypting the hash value of the offline package with the private key).
3. After the client gets the amr package and decompresses it, the client will use the public key preset in the project to verify the signature (decrypt the ciphertext of the previous step to get a hash value, and calculate the hash value of the offline package locally, and judge the two Are the same), if they are the same, the verification is passed.
4. If the signature verification fails, delete the offline package and go to the fallback address.

Through the offline package verification mechanism, the following objectives can be achieved:

1. Ensure that the content of the offline package is complete, solve the decompression abnormality, and read the normal display under the abnormality.
2. It ensures that the source of the offline package is correct and will not be maliciously tampered with by the local.

2.1.3 Is the userId information set correctly?

Because userId will be used in many places, such as push, whitelist. Therefore, it is generally recommended to select the userId field of the server as the storage field to facilitate subsequent synchronization of the userId field with the server. It is not recommended to store personal information such as personal mobile phone number or ID card as the userId.

2.1.4 Does the buried information contain sensitive information, such as transaction number?

Considering the magnitude of the buried point is very large, so by default, the buried point of mPaas does not perform data encryption locally, so the buried point information is not recommended to contain sensitive fields to prevent information leakage due to the buried point. Sensitive fields are recommended to be reported through the RPC data channel to ensure data security. If there is a demand for burying sensitive fields, you need to actively enable the local encryption configuration of the burying point.

2.1.5 Privacy authority configuration

As regulatory agencies are now stricter in privacy authority control, mPaas has made a corresponding access plan for authority control. It is necessary to ensure that the privacy permission related configuration has been normally accessed before going online.

2.2 Stability

2.2.1 Verify that the Android 4.X version can be used normally

mPaas supports at least Android version 4.3 and above, so you need to verify the availability of lower version Android devices before release. Most of the problems encountered are installation crashes caused by class not being found due to multi-dex loading on Android 4.X devices. .

2.2.2 Is the iOS symbol table uploaded normally?

Before publishing, you need to make sure that the iOS symbol table has been uploaded to the mPaas backend to facilitate the backend to resolve the flashback information.

2.2.3 Is the hot repair module connected and verified?

Before release, it is necessary to ensure the normal access and verification of the hot repair module, to ensure that the hot repair capability for the Native module is online, and to ensure the repair capability in abnormal scenarios.

2.2.4 Offline package Fallback domain name confirmation

Confirm whether the Fallback domain name is an address that can be accessed from the external network, and if you have encountered a case where the address issued after the release is still the internal network address.

2.2.5 Offline package module access to CDN

Perform a capacity evaluation before going online. By default, the offline package of mPaas is stored in the OSS. However, it is generally recommended to access the CDN for the offline package module and use the CDN’s caching function to solve the risk of full bandwidth due to offline package download. For OSS storage, the cost of CDN is lower. The access diagram is as follows:

figure 2

2.2.6 RPC core link interface pressure test

Before going online, you need to perform a performance pressure test on the RPC interface of the App core link to obtain the interface performance bottleneck, which can be used as a reference for the subsequent current limit value setting. At the same time, it is necessary to perform drills for the RPC current limiting scenario to prevent various abnormalities in the client after the online current limiting.

2.2.7 Release and update function is available

Before going online, you need to verify that the release of the apk function is available, including the mandatory update function for publishing updates, to ensure that in extreme scenarios, mandatory upgrades are required.

2.3 Performance experience

2.3.1 Whether the offline function of the offline package works normally

Ensure that the offline function of the offline package is used normally, and prevent the offline function from not taking effect due to various configuration problems of the offline package.

2.3.2 Is the UC kernel connected normally?

Ensure that the UC kernel is correctly configured for access, mainly to solve various compatibility problems under the system Webview. At the same time, UC provides good stability, which is more stable than the system webview.

2.3.3 Whether the core link offline package is prefabricated

Before release, the core link offline package needs to be prefabricated to ensure that the core link can still be opened in extreme abnormal scenarios.

Reference documents

[1] Mobile development platform mPaaS: https://www.aliyun.com/product/mobilepaas/mpaas
[2] Data encryption: https://help.aliyun.com/document\_detail/72752.html?spm=a2c4g.11186623.6.732.6bb85ed3LyuYtO

We are the Alibaba Cloud Intelligent Global Technical Service-SRE team. We are committed to becoming a technology-based, service-oriented, and high-availability engineer team of business systems; providing professional and systematic SRE services to help customers make better use of the cloud 、Build a more stable and reliable business system based on the cloud to improve business stability. We hope to share more technologies that help enterprise customers go to the cloud, make good use of the cloud, and make their business operations on the cloud more stable and reliable. You can scan the QR code below to join the Alibaba Cloud SRE Technical Institute Dingding circle, and more The multi-cloud master communicates about those things about the cloud platform.

Copyright Statement: content of this article is contributed spontaneously by Alibaba Cloud real-name registered users. The copyright belongs to the original author. The Alibaba Cloud Developer Community does not own its copyright and does not assume corresponding legal responsibilities. For specific rules, please refer to the "Alibaba Cloud Developer Community User Service Agreement" and the "Alibaba Cloud Developer Community Intellectual Property Protection Guidelines". If you find suspected plagiarism in this community, fill in the infringement complaint form to report it. Once verified, the community will immediately delete the suspected infringing content.