No matter Android app or Jar app, once the code is distributed, it will be in some form of untrusted environment, and it will be hard to avoid being analyzed and cracked by someone. Secrets hidden in code, no matter private algorithms, or private protocols, or encryption keys, may be cracked by attackers, and then infringe the commercial interests or intellectual property rights of the original author. So reverse cracking an application is a source of business risk.

#1: Mobile application security status analysis

According to the Ministry of Industry and Information Technology, the number of mobile apps in China had reached 4.5 million by 2019, with games, life services and e-commerce apps ranking top three.

For market segmentation, let’s look at the financial industry. According to the data of China Information And Communications Institute, in 2019, only 17.08% of the 22,777 financial industry apps in China completed the reinforcement, while more than 80% of financial industry apps “ran naked” in the application market without any security reinforcement. Looking at the whole industry through the financial industry, other industries also have similar problems.

Let’s look at regulatory policy:

For the financial industry — the People’s Bank of China issued the mobile financial client application software security management standards, which clearly standardized the security hardening requirements of mobile apps. For education industry, the Ministry of Education issued “about guide education’s opinions on orderly and healthy development of the mobile Internet application and the type of education in colleges and universities management services mobile Internet application specific administrative action plan”, specifically education App post shall go through security assessment is online, and through security reinforcement repair security hidden danger in time.

Due to the regulatory requirements of financial and education industries and the country’s increasing attention to mobile Internet, other industries may also introduce related security policy requirements in succession.

#2: A new mobile application security strategy

The following describes the process of upgrading and iteration of Alibaba’s internal mobile security protection policy.

In terms of the first and second generation reinforcement schemes, it mainly aims at shell protection of APK, hides dex and encrypts DEX at the same time, dynamically loads the encrypted DEX and uncovers the shell during runtime. The advantage of shell reinforcement is that it does not increase the size of the application, and the DEX is hidden, which can counter the static analysis of the DEX.

With the continuous upgrading of attack means, Ali mobile security reinforcement has carried out a new upgrade capability. It has now progressed to the third generation of reinforcement: Java bytecode conversion to Native binary code.

The principle and goal of ali’s internal reinforcement is not only to fully improve its own security ability, increase the difficulty of cracking and attack cost of opponents, but also to minimize the access cost of business parties, and also to take into account the operation efficiency and volume.

Main risk points to deal with:

Java/Smali bytecode is decompiled into Java source by the tool
Java/Smali bytecode is read directly
The native pool code is decompiled into C source code by the tool

Java bytecode security is limited by format and instruction limitations. However, native binaries are much more difficult to crack than Java bytecode. So we converted bytecode to native binary code, and the code logic was transferred to SO. It was a Java function call, but now it is a JNI call. The attacker’s Java reverse-related skills are disabled and forced to reverse native binaries, which is far more difficult than reverse bytecode.

#3: mPaaS mobile security hardening comes online

Combined with the upgrade of ali’s internal mobile application security reinforcement capability, we officially launched the mobile application security reinforcement capability in mPaaS.

MPaaS mobile security reinforcement provides stable, simple and effective security protection for App, improves the overall security level of App, and protects App from cracking and attack, aiming at various security risks such as cracking, tampering, piracy, phishing fraud, memory debugging and data theft, which are common in mobile apps on the market.

While dealing with common Android attacks, such as decompilation, repackaging, and dynamic debugging, we also focus on performance and compatibility.

The reinforcement ability has experienced the practice of taobao, Cainiao and other hundreds of millions of businesses, and is guaranteed in security;
In terms of compatibility, we support versions 4.2 through Android Q;
Can support ARM, x86, X64 system architecture, stable operation in complex environment, low crash rate;
In addition, it is more difficult for the attacker to reverse the App by confusing the protection of classes, making it impossible for the attack to start.

Product core value

Through the previous introduction, I believe that we have a preliminary understanding of mPaaS mobile application reinforcement, the following summarizes the advantages of mPaaS mobile application security reinforcement.

The operation is simple, you can upload the reinforcement package on the console, out of the box. Development students, project managers and so on can use;
High stability and compatibility, very low crash rate;
After taobao and other Ali department App verification, security is guaranteed;
Support Android 4.2 to Android Q system and ARM, x86, X64 system architecture;
In addition, Javabytecode level of confusion protection is supported to increase the cost of reverse App for attackers and maximize the security of App.

List of mobile security hardening capabilities

We have made security protection from decompilation protection, tamper-proof protection, debugging protection and other dimensions, and made corresponding security policies for DEX file, SO file and various Hook frameworks. The list of capabilities is as follows:

At the same time, mPaaS mobile security hardening is also perfectly compatible with the mPaaS hot repair capability. Through the hot repair capability, online version problems can be quickly repaired without the need for release, ensuring service continuity. You can experience the hot repair capability on the mPaaS console.

performance

Easy access, special offer double 11

Mobile application security hardening, easy access, only 8 steps to complete immediately. And when Double 11 comes, mPaaS mobile security reinforcement will be officially launched on Ali Cloud. Welcome to try it out.

👉 I watch live to get 4.1 discount reinforcement special

Hard worked App being copied? MPaaS help you to reinforce the lock on APK
Log in! Let’s Start Coding

Follow the public account “mPaaS” and reply “Security Hardening” to obtain the complete PPT content

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

Mobile security reinforcement helps App to achieve comprehensive and effective security protection

#1: Mobile application security status analysis

#2: A new mobile application security strategy