Introduction:Originated from more than ten years of Alibaba precipitation, improve the overall security level of app
Whether it’s android app or jar application, once the code is distributed, it will be in an untrusted environment in some form, which will inevitably be analyzed and cracked by intentional people. The secret hidden in the code, whether it is private algorithm, private protocol, or encryption and decryption key, may be cracked by attackers, and then infringe the original author’s commercial interests or intellectual property rights. Therefore, application reverse cracking is one of the sources of business risk.
1: Analysis of mobile application security
According to the data of the Ministry of industry and information technology, as of 2019, the number of mobile applications in China has reached 4.5 million, among which games, life services and e-commerce apps rank the top three.
Market segmentation, let’s look at the financial industry. According to the data of the Institute of information technology, in 2019, we observed 22777 domestic financial industry apps, and found that only 17.08% of the financial industry apps completed reinforcement, while more than 80% of the financial industry apps “streaked” in the application market without any security reinforcement. Looking at the whole industry through the financial industry, other industries also have similar problems.
Let’s look at the regulatory policy again
For the financial industry, the people’s Bank of China issued the security management specification of mobile financial client application software, which clearly standardized the security reinforcement requirements of mobile app.
For the education industry, the Ministry of Education issued the “opinions on guiding and standardizing the orderly and healthy development of education mobile Internet applications” and the “special governance action plan for the management and service education mobile Internet applications in Colleges and universities”, FA Wenming definitely proposed that the education app should go online after security assessment, and timely repair the security risks through security reinforcement.
Under the background of the regulatory requirements of the financial and education industries and the increasing attention of the state to the mobile Internet, other industries may introduce relevant security policy requirements in the future.
2: New mobile security protection strategy
The following describes the iterative process of upgrading Alibaba’s internal mobile security policy.
In the first and second generation of reinforcement scheme, mainly for the APK shell protection, to hide the DEX, and encrypt the DEX at the same time, load the encrypted DEX dynamically at runtime and do the shelling operation. The advantage of shell reinforcement is that it will not increase the volume of application, and DEX is hidden, which can resist the static analysis of DEX.
With the continuous upgrading of attack means, Alibaba mobile security reinforcement has upgraded its new capabilities. At present, it has developed to the third generation of reinforcement: Java bytecode converted to native binary code.
The principle and goal of Alibaba’s internal reinforcement is not only to fully improve its own security capability, increase the cracking difficulty and attack cost of the opponent, but also to reduce the access cost of the business party as far as possible, and to take into account the operation efficiency and volume.
The main risk points are as follows:
- Java / SmalI bytecode is decompiled into Java source code by tools
- Java / SmalI bytecode is read directly
- Native assembly code is decompiled into C source code by tools
Because of the limitation of format and instruction, the security protection ability of Java bytecode has an upper limit. However, native binary code is more difficult to crack than Java bytecode. So we convert the bytecode into native binary code, and the code logic is transferred to so, which used to be Java function call, but now it is JNI call. The attacker’s Java reverse related skills are directly invalid and forced to reverse native binary, which is much more difficult than reverse bytecode.
3: Mpaas mobile security reinforcement heavyweight Online
Combined with the upgrade of Alibaba’s internal mobile application security reinforcement capability, we officially launched the mobile application security reinforcement capability in mpaas.
Aiming at various security risks such as cracking, tampering, piracy, phishing fraud, memory debugging, data theft and so on, mpaas mobile security reinforcement provides stable, simple and effective security protection for app, improves the overall security level of app, and ensures that app will not be cracked and attacked.
In response to common Android attacks, such as decompilation, secondary packaging, dynamic debugging, we also pay attention to performance and compatibility.
- The reinforcement capacity has experienced the practice of hundreds of millions of businesses such as Taobao and rookie, and the security is guaranteed;
- In terms of compatibility, we support versions from 4.2 to Android Q;
- Can support arm, x86, x64 system architecture, stable operation in complex environment, low crash rate;
- In addition, through the protection of class confusion, it is more difficult for attackers to reverse the app, making it impossible to attack.
Product core value
Through the previous introduction, I believe you have a preliminary understanding of mpaas mobile application reinforcement. The following summarizes the advantages of mpaas mobile application security reinforcement.
- The operation is simple, upload the reinforcement package on the console and use it out of the box. It can be used by developers and project managers;
- High stability and compatibility, low crash rate;
- Verified by Taobao and other Alibaba apps, the security is guaranteed;
- At the same time, it supports the systems from Android 4.2 to Android Q and the system architectures of arm, x86 and x64;
- In addition, it supports javabytecode level obfuscation protection, increases the cost of attacker reverse app, and ensures the security of app to the maximum extent.
Mobile security reinforcement capability list
We start fromDecompile protection, tamper protection, debug protectionIn addition, the security policies for DEX files, so files and various hook frameworks are made. The capability list is as follows:
At the same time, mpaas mobile security reinforcement is also perfectly compatible with the hot repair ability of mpaas. Through the hot repair ability, you can quickly repair the online version problems, and you don’t need to release the version to ensure the continuity of business. You can experience the hot repair ability in the mpaas console.