brief introduction ： Mobile applications cover a large amount of personal data of users , In case of leakage, it may be harmful to individuals 、 Have a significant impact on society , At the same time, it is also a devastating blow to the long-term development of the mobile application industry . Mobile app developers , Attention should also be paid to the standardization of the development process 、 Security , Fear security issues , Guard against compliance risks .
According to statistics , Add at least... Every year 150 Million kinds of mobile malware , At least cause more than 1600 Million mobile malware attacks .
and Android Because of its open ecological environment , The security problem is even more serious . In the application market , quite a lot Android App There are potential security risks , Once used , It will have a great impact on users and developers .
meanwhile , Along with 《 Network security law 》 as well as 《 Personal information protection law 》 And other relevant laws and regulations , Mobile application developers also need to work with government departments , Jointly create a secure mobile application environment , Promote the standardization of network security 、 Security 、 Healthy development .
To help mobile developers effectively respond to security requirements ,mPaaS Many modules in have adopted security policies ：
- Mobile application security reinforcement
- Privacy compliance testing
- RPC Signature encryption of
- Signature verification of offline package
- Mobile synchronized tcp+ssl Mechanism
- Hot fix encryption configuration
This article will introduce the above common mPaaS Several modules about safety design , For better use in the future .
Privacy compliance testing
With the continuous refinement and deepening of policies, regulations and regulatory standards , The supervision, investigation and punishment efforts are increasing ,App The policy risks faced by developers are also gradually increasing .
mPaaS Privacy compliance testing services , According to relevant national laws and regulations and industry specifications , To move App Privacy security 、 Personal data collection and use for compliance analysis .
Mobile security reinforcement
Combined with the upgrading of Alibaba's internal mobile application security reinforcement capability , We are now in mPaaS China export mobile application security reinforcement capability .
In view of the widespread mobile applications on the market 、 Tampering 、 Pirate 、 A fishing scam 、 Memory debugging 、 Data theft and other security risks ,mPaaS Mobile security reinforcement is App Provide stability 、 Simple 、 Effective safety protection , promote App Overall safety level , To ensure App Not to be cracked or attacked .
In response Android Common means of attack , such as Decompile 、 Second packing 、 Dynamic debugging, etc , We also focus on performance and compatibility .
- Strengthening ability has gone through Taobao 、 The practice of hundreds of millions of businesses such as rookies , In terms of security ;
- On compatibility , We support 4.2 To Android Q Of edition ;
- Able to support arm、x86、x64 System architecture , Stable operation in complex environment , The rate of running out is low ;
- in addition , Protection by obfuscation of classes , Increase attacker reverse App The difficulty of , Make the attack impossible .
As mPaaS One of the most important components ,RPC It provides a secure communication channel between client and server , Among them, security issues mainly include signing and encryption . The problem of adding signature is to prevent the client from being forged , The encryption solution is to prevent the request data from being leaked .
1 The signature of the
Overall process ：
- stay mPaaS When initializing the application in the background , Will be for each one App Create a unique appSecret;
- Client pass appid、WorkspaceID、appSecret Etc , Generate a wireless bodyguard picture . Through the encryption of the wireless bodyguard module , It ensures the data stored on the client appSecret The security of ;
- When the client requests , Get... From wireless bodyguards appSecret, Simultaneous addition OperationType、time、requestData Equal factor MD5 Calculation , Add to header Send to MGS gateway ;
- MGS After receiving, calculate again according to the same method MD5, If the same , Pass the verification .
advantage ： Through the wireless bodyguard mechanism , It ensures the built-in... In the client appSecret The security of .
Overall process ：
- adopt openssl Generate asymmetric key , The client saves the public key , The server reported an error private key ;
- Every time the client requests RPC Will generate a new symmetric key , The asymmetric secret key generated in the first step is used for encryption , Generate SecKey;
- The client uses the symmetric key to encrypt the original data at the same time , Get encrypted data SecData;
- The mobile gateway through the saved private key pair SecKey Decrypt to get the symmetric key ;
- The symmetric key obtained in the previous step , Encrypt data SecData To decrypt , Get raw data .
advantage ：RPC The encryption of adopts the mode of mixed encryption , A combination of asymmetric encryption and symmetric encryption is used . If you simply use a symmetric key , Although the performance is good , But not enough security . If asymmetric encryption is used alone , Although the security is guaranteed , But it will lead to poor performance , Not suitable for RPC This scenario of massive communication .
therefore RPC This hybrid encryption mode , A good combination of the advantages of the two .
3 Anti seizing bag
On the client side, in order to prevent the data from being caught by the packet capture software , The client has set to prevent packet capture , By setting the network library to prohibit agents , Solved the risk of being caught . The code is as follows ：
Many offline modules are used as business , In order to ensure that the offline package module distributed to the local is not tampered with , The offline package provides a signature verification mechanism .
Overall process ：
- To pass ahead of time openssl Generate public and private keys , The public key is built into the client , Store the private key to the server ;
- When the offline package is packed , The server makes changes to the files of the current offline package MD5 Calculation , Then, the calculated value is encrypted by asymmetric secret key to generate encrypted signature data , Distribute the offline package to the client ;
- Every time the client opens an offline package , Obtain the distributed public key through the public key in the client MD5 And local offline package files MD5 contrast , If the same , Check through , If it's not consistent , Then delete the offline package , Direct access fallback resources .
- Because the offline package is verified every time it is opened , It ensures that the source of the offline package is correct and not tampered with ;
- If the verification fails, it will be demoted directly to fallback Address , Reduce the impact on customer use
MDS Real time release
MDS Real time publishing services provide apk Publishing function of , At the same time, in order to ensure the download apk The file cannot be tampered with , Provides the basis for MD5 Integrity check of .
Upload on apk When , Will be based on the current apk Generate MD5 Send out , Download files locally during local installation MD5 And will be distributed by the server MD5 Do the matching , If the match is successful, the installation will continue .
Distributed by the server MD5 The fields are shown in the figure below :
MSS Mobile synchronization
Mobile synchronization service Sync Is based on TCP Communicating , In order to ensure safety ,Sync Can be configured as TCP+SSL Mode .
When specifying Sync The port number of is 433 After the port , The client will start based on TCP+SSL Realize long connection , After a long connection request is sent to the server , Need to pass through F5 Or other similar load devices SSL uninstall , The last to MSS Realize long connection .
The overall process is shown in the figure below ：
With the rapid development of mobile applications , Users' privacy issues related to mobile applications 、 Security issues are increasingly concerned .
Mobile applications cover a large amount of personal data of users , In case of leakage, it may be harmful to individuals 、 Have a significant impact on society , At the same time, it is also a devastating blow to the long-term development of the mobile application industry .
Mobile app developers , Attention should also be paid to the standardization of the development process 、 Security , Fear security issues , Guard against compliance risks .
The author of this article ： Alibaba cloud mPaaS TAM The team （ Rongyang ）
Copyright notice ： The content of this article is contributed by alicloud real name registered users , The copyright belongs to the original author , Alicloud developer community does not own its copyright , It also does not bear the corresponding legal liability . Please check the specific rules 《 Alicloud developer community user service agreement 》 and 《 Alibaba cloud developer community intellectual property protection guidelines 》. If you find any suspected plagiarism in this community , Fill in the infringement complaint form to report , Once verified , The community will immediately delete the suspected infringement content .