First, explain why I started this automated hardening review. A large part of the reason is related to interest, because it is to learn app security development, so more or less to understand the knowledge of mobile security, most of the time we will use some online automated security platform to reinforce the application. So at the beginning of the selection of what reinforcement products also tried a number of different manufacturers. This time it is better to share some of the data I measured before for your reference.
For mobile application development engineers, application automation reinforcement is undoubtedly the most convenient way of security. The effect of decompilation and repackaging can be achieved to a certain extent through reinforcement. Of course, now many online platforms provide reinforcement services including BAT. The principle of reinforcement is similar, but there are big differences in strength and compatibility.
Here are some of the app hardening reviews I compiled earlier. A total of 5 platforms and 1 APP were selected. The five platforms are hardened at the same time, and then compared in terms of operation experience, startup time after hardening, application size after hardening and compatibility.
Here are five hardened platforms for comparison:
1.360 Security link: http://jiagu.360.cn/
2. Aliju security link: http://jaq.alibaba.com/
3. Tencent cloud applications solid link: https://www.qcloud.com/product/cr.html
4. Bang Bang Security Link: http://www.bangcle.com/
5. Pay shield mobile security cloud link: http://www.appfortify.cn/pc-index.html
1. Easy operation
Firstly, the application will be strengthened in the 5 platforms selected. This time, the application selected is The 3.1.0.2 version of Glamour Hui, with a size of 16MB. The selected reinforcement is all free to use. Of course, there are some premium enhancements for paid versions, but this one is not included in the review.
360 reinforcement is protected
In the process of 360 reinforcement, there are many options before reinforcement, including enhanced services such as log analysis, x86 architecture, application upgrade notification, and signature selection. They also have a desktop version that provides local hardening.
Aleju safety
If you are an authenticated user, you can select an existing application or upload a new application to perform security hardening. Hardening will prompt the application to detect malicious code first, which is quite human. After hardening, download the file and sign it again. In addition, there are online multi – channel reinforcement can choose, this function is more suitable for release channel users.
Tencent cloud app Legu
By default, Tencent cloud selects reinforcement, vulnerability detection and channel monitoring after uploading applications. Optional is adaptive analysis, limited to once per day. The card – type interface design and Ali poly security is quite similar.
Bang bang security
The whole process of bong-bong is similar to any other, and you can choose whether to do security assessment and application hardening at the same time.
Payer shield
Pay shield reinforcement interface, select application upload, select services and click submit.
Summary: the five platform reinforcement function will not appear operation questions, mainly the steps and processes are too similar. Personally from the user experience of this point to evaluate, Tencent Cloud and pay shield design will be better, after the completion of reinforcement will have a signature tool to download, think more thoughtful.
2. Compare the hardening waiting time
The reinforcement waiting time was also recorded in this comparison. The same application in different platforms reinforcement time is also very different, the fastest is Aliju security, 16MB application reinforcement time 35 seconds, and the longest time to pay shield 3 minutes 08 seconds. Of course, in addition to the time difference and reinforcement engine is not the same, but also may be reinforcement intensity and reinforcement projects.
3. Volume comparison before and after reinforcement
These enhancements were downloaded and the unsigned applications were compared in volume. The reinforcement of Aliju security reduced the size of the application package by 1MB, while the rest of the package fluctuated by 0-0.8MB.
4. Comparison of startup speed before and after reinforcement
According to a third-party compatibility test of the testin, the compatibility of the application signatures output by the five platforms is similar. The results of the test, which covered 100 major mobile phones, are as follows:
Except for 360, the startup speed of the other four platforms after reinforcement is slower than before. The biggest impact on speed is bong-bong safety.
5. Compare the compatibility before and after hardening
Application compatibility is also a very important metric. Through this evaluation, it can be found that the test application adopts the reinforcement of universal shield, the compatibility has a significant decline of only 88%. The other four haven’t changed much.
conclusion
Finally, here’s a summary of the statistics to see which platforms came in first in each of these categories:
It should be mentioned in particular that if the application market chooses 360 and Baidu development platform, their regulations do not allow the use of reinforcement functions of other brands, which will not be good experience. If you want to choose a hardened product, you can focus on the compatibility and startup speed of the two dimensions.
Finally, I would like to explain that the reinforcement of the use of the free version of automatic reinforcement, currently each platform also have to provide some API or higher strength of the reinforcement scheme. However, as far as the current reinforcement technology is concerned, there are still ways to unshell the application. For application security, in addition to reinforcement, some other ways can be combined. Such as embedding security components in the application, data encryption and logic obfuscation.
This is the first time to send a post, please advise 🙂