In the recent implementation of App security programs, the following are some thoughts. Some security products need to be purchased, but in this article you will integrate them yourself. There are many components that need to be developed, so based on my personal experience, I simply made the next layer, excluding App end and host environment.

The data processing

The communication layer

The HTTP protocol is easy to understand and use, and most of our web applications are based on it. Data show that mobile Internet has occupied a large number of markets, and App development has entered the era of mixed protocol. This is the communication layer, the channel through which data is transmitted.

Requests may come from one of these places: APP. Some mobile applications ii. Web side. Most web page requests or H5 three, applets. The various calls encapsulated (most follow the platform development approach) iv. Open platform. Various SASS, PASS.

The cracking difficulty of the communication layer is as follows: Socket (own binary protocol) >WebSocket (WSS, WS, etc.) > Https > Http.

The encryption of communication layer mainly increases the analysis cost of the attacker and cannot defend against all attacks. The advantage of the independent communication layer is that the interaction protocol can be switched or upgraded at any time without affecting the underlying services and policies.

Encryption layer

Encryption is a layer of algorithms agreed upon by the caller and the server. At present, there are symmetric encryption and asymmetric encryption.

Symmetric encryption refers to maintaining a secret key, which can be used to restore the protected data. Some of the more popular symmetric encryption algorithms are

DES
3DES
AES
Copy the code

Symmetric encryption is difficult to manage, easy to crack, and costly to replace, but its speed is several orders of magnitude faster than asymmetric encryption.

Asymmetric encryption, on the other hand, is an algorithm in which the encryption key and the decryption key differ. Safety is relatively high, but the operation speed is relatively low. Common asymmetric encryption is:

RSA (widely known) DSA ECCCopy the code

Here’s an interesting thing. An important root private key is dumped into a dedicated small device. The device is placed in a safe, which requires the passwords of four different people to open. The security level is very high.

We often say MD5, SHA1, etc., do not belong to encryption algorithms.

Attestation layer

By verifying the transmitted information, we can tell if it has been tampered with. Some information, like passwords, even simple MD5, is much better than saving the original text.

Although DSA, RSA, etc., can digitally sign information, we still use some digest algorithms, also called Hash algorithms.

Abstract algorithm can not reverse decrypt the data, usually by adding salt to protect the abstract. Common summary algorithms are:

MD5
SHA1
Bcrypt
Copy the code

It is worth mentioning that Bcrypt is widely used at present. Its characteristic is that even if the same information is abstracted, different content will be generated, and the concealment is stronger.

It encrypts something like this, which you must have seen:

$2a$10$iRdNmYoINR8QqynemTsP2OzFtM7N5pFPoBFuzAtvR6YBtov4gRt7e
Copy the code

In use, some systems like to use multiple summary algorithms for calculation, higher security. But once you’ve guessed it, it’s nothing.

Multiple hash: MD5 (MD5 (sha1(STR))).

Business protection

But data can still be forged. The business layer needs to validate the incoming parameters to make a true business judgment. For example, MVCC+CAS is used to protect some balance operations.

Requests should mostly be idempotent and cannot be reentrant. Forged information should be able to be identified by custom rules.

The scanning tool will scan for things like XXE, Struts vulnerabilities and so on, which is a paradise for many people. Well, I suggest you buy a service.

And finally, risk control systems. Although important, there are few companies capable of doing it, including some P2P systems, so let the bullets fly for a while.

I think coupons are the category of business protection. Of course, there are banks, after the cross-provincial pursuit of armed business protection.

specification

For the same type of business interaction, an HTTP request has both requestBody and Request Params; Another request turned out to be a POST request. Back-end processing changes, it is a lot more complex, is not conducive to troubleshooting problems.

Such problems also include the transmission of a large number of unused fields, information nesting level is too deep, error code disorder. The final cause of many failures is tearless.

At the communications layer, certain specifications are important enough to be worth the effort of design.

Development mode

Development mode is the back door you leave to yourself.

With various encryption, verification, reentry protection and other components, your system is probably already highly secure. So high that you were protected yourself.

You’ll see the power of this when you need to artificially construct a request. Through some switches or grayscale, you can skip some links, directly carry out the analysis of the main cause, improve the efficiency of verification.

Detailed logging is a powerful aid when a system encounters problems, and when the business process branches many and long, the call chain can significantly speed up problem solving. From the beginning of the design, consider the integration and configuration of these functions to tune key aspects.

End

Safety is important. Selling depends on deception. But it hurts not to buy, and it costs money. Buy peace.