According to statistics, at least 1.5 million new mobile malware are added every year, resulting in at least 16 million mobile malware attacks.

And Android because of its open ecological environment, security problems are quite serious. In the App market, many Android apps have potential security risks, which can have a great impact on users and developers once they are exploited.

At the same time, with the introduction and implementation of relevant laws and regulations such as the Network Security Law and the Personal Information Protection Law, mobile application developers also need to cooperate with government departments to jointly create a secure mobile application environment and promote the standardization, security and healthy development of network security.

To help mobile developers effectively respond to security requirements, many modules in mPaaS adopt security policies:

  • Security hardening for mobile applications

  • Privacy Compliance testing

  • RPC signed encryption

  • Verify the signature of an offline package

  • TCP + SSL mechanism for mobile synchronization

  • Hotfix encryption configuration

This article will introduce the common mPaaS security design modules for better use in the future.

Privacy Compliance testing

With the continuous refinement and deepening of policies, regulations and regulatory standards, and the increasing intensity of supervision and punishment, the policy risks faced by App developers are also gradually increasing.

MPaaS privacy compliance testing service conducts compliance analysis on mobile App privacy security, personal data collection and use in accordance with relevant national laws and regulations and industry norms.

Help enterprises and App developers identify security risks from multiple dimensions such as personal information collection, permission usage scenarios and privacy policies, provide corresponding expert rectification suggestions, and help customers avoid regulatory penalties and pass the review and put on the shelves.

Mobile security hardening

Combined with the upgrade of ali’s internal mobile application security reinforcement capability, we have now exported the mobile application security reinforcement capability in mPaaS.

MPaaS mobile security reinforcement provides stable, simple and effective security protection for App, improves the overall security level of App, and protects App from cracking and attack, aiming at various security risks such as cracking, tampering, piracy, phishing fraud, memory debugging and data theft, which are common in mobile apps on the market.

While dealing with common Android attacks, such as decompilation, repackaging, and dynamic debugging, we also focus on performance and compatibility.

  • The reinforcement ability has experienced the practice of taobao, Cainiao and other hundreds of millions of businesses, and is guaranteed in security;

  • In terms of compatibility, we support versions 4.2 through Android Q;

  • Can support ARM, x86, X64 system architecture, stable operation in complex environment, low crash rate;

  • In addition, it is more difficult for the attacker to reverse the App by confusing the protection of classes, making it impossible for the attack to start.

RPC

As one of the most important components of mPaaS, RPC provides a secure communication channel between the client and the server, including check-in and encryption. Among them, checkmark is to prevent the client from being forged, and encryption is to prevent the request data from being leaked.

The signature of the 1

Overall process:

  1. When the mPaaS background initializes the application, a unique appSecret is created for each App.

  2. The client generates a wireless bodyguard picture based on information such as appID, WorkspaceID, and appSecret. Through the encryption of wireless bodyguard module, the security of appSecret stored in the client is guaranteed.

  3. When the client requests, it obtains appSecret from the wireless bodyguard, adds OperationType, Time, requestData and other factors for MD5 calculation, and adds them to the header to send to the MGS gateway.

  4. MGS calculates MD5 again in the same way after receiving the message. If the message is the same, the message passes the verification.

Advantages: The wireless bodyguard mechanism ensures the security of appSecret built into the client.

2 encryption

Overall process:

  1. An asymmetric secret key is generated through OpenSSL. The client saves the public key, but the server reports an error on the private key.

  2. Each time the client requests RPC, a new symmetric secret key is generated. The asymmetric secret key generated in the first step is encrypted to generate a SecKey.

  3. The client uses the symmetric key to encrypt the original data and obtain the SecData.

  4. The mobile gateway decrypts the SecKey through the saved private key to obtain the symmetric key.

  5. Through the symmetric secret key obtained in the previous step, decrypt the encrypted data SecData to obtain the original data.

Advantages: RPC encryption adopts a hybrid encryption mode, using a combination of asymmetric encryption and symmetric encryption. If the symmetric secret key is used only, although the performance is better, it cannot guarantee enough security. If asymmetric encryption is used alone, security is ensured, but performance deteriorates. Therefore, asymmetric encryption is not suitable for RPC scenarios with a large amount of communication.

Therefore, the mixed encryption mode adopted by RPC well combines the advantages of both.

3 caught

In order to prevent data from being captured by the packet capture software, the client implements packet capture prevention Settings. By setting the network library to disable proxy, the risk of packet capture is resolved. The code is as follows:

The offline package

Many offline modules are used for services. To ensure that offline package modules delivered to the local PC are not tampered with, offline package provides a signature verification mechanism.

Overall process:

  1. Use OpenSSL to generate public and private keys. The public key is stored in the client and the private key is stored in the server.

  2. When the offline package is packaged, the server performs MD5 calculation for the file of the current offline package and encrypts the calculated value with an asymmetric secret key to generate encrypted signature data, which is delivered to the client along with the offline package.

  3. Each time the client opens an offline package, it uses the public key on the client to obtain the MD5 file delivered and compares it with the local offline package file for MD5. If the file is consistent, the verification succeeds. If the file is inconsistent, the client deletes the offline package and accesses fallback resources directly.

Advantage:

  • Because the offline package is checked every time it is opened, the source of the offline package is correct and will not be tampered.

  • If the verification fails, the IP address is directly degraded to the Fallback address to reduce the impact on customers

Real-time PUBLISHING of MDS

The MDS real-time publishing service provides the APK publishing function and md5-based integrity check to ensure that downloaded APK files are not tampered with.

When the APK is uploaded, MD5 is generated based on the current APK. During the local installation, the MD5 of the downloaded file matches the MD5 delivered by the server. If the match is successful, the installation continues.

The FOLLOWING figure shows the MD5 fields delivered by the server:

MSS mobile synchronization

The mobile synchronization service Sync is based on TCP for communication. To ensure security, Sync can be configured in TCP+SSL mode for communication.

After the Sync port number is set to 433, the client starts to implement the long connection based on TCP+SSL. After the long connection request is sent to the server, SSL is uninstalled through F5 or other similar load device, and the long connection is implemented through MSS.

The overall process is shown in the figure below:

conclusion

With the rapid development of mobile applications, users are increasingly concerned about privacy and security issues involved in mobile applications.

Mobile applications cover a large amount of personal data of users. Once leakage occurs, it may have a significant impact on individuals and society, and at the same time, it is also a devastating blow to the long-term development of mobile application industry.

Mobile application developers should also pay attention to standardization and security in the development process, respect security issues and guard against compliance risks.

Author: Alibaba Cloud mPaaS TAM team (Rongyang)

END