当前位置:网站首页>Compliance security assessment: overall point of mobile application security strategy

Compliance security assessment: overall point of mobile application security strategy

2021-09-15 07:49:18 Alibaba cloud developers

brief introduction : Mobile applications cover a large amount of personal data of users , In case of leakage, it may be harmful to individuals 、 Have a significant impact on society , At the same time, it is also a devastating blow to the long-term development of the mobile application industry . Mobile app developers , Attention should also be paid to the standardization of the development process 、 Security , Fear security issues , Guard against compliance risks .

 title=

According to statistics , Add at least... Every year 150 Million kinds of mobile malware , At least cause more than 1600 Million mobile malware attacks .

and Android Because of its open ecological environment , The security problem is even more serious . In the application market , quite a lot Android App There are potential security risks , Once used , It will have a great impact on users and developers .

meanwhile , Along with 《 Network security law 》 as well as 《 Personal information protection law 》 And other relevant laws and regulations , Mobile application developers also need to work with government departments , Jointly create a secure mobile application environment , Promote the standardization of network security 、 Security 、 Healthy development .

To help mobile developers effectively respond to security requirements ,mPaaS Many modules in have adopted security policies :

  • Mobile application security reinforcement
  • Privacy compliance testing
  • RPC Signature encryption of
  • Signature verification of offline package
  • Mobile synchronized tcp+ssl Mechanism
  • Hot fix encryption configuration

……

This article will introduce the above common mPaaS Several modules about safety design , For better use in the future .

Privacy compliance testing

With the continuous refinement and deepening of policies, regulations and regulatory standards , The supervision, investigation and punishment efforts are increasing ,App The policy risks faced by developers are also gradually increasing .

mPaaS Privacy compliance testing services , According to relevant national laws and regulations and industry specifications , To move App Privacy security 、 Personal data collection and use for compliance analysis .

Collect from personal information 、 Permission usage scenario 、 Privacy policy and other dimensions help enterprises and enterprises App Developers identify security risks , Provide corresponding expert rectification suggestions , Help customers avoid regulatory penalties and go on the shelves through audit .

 title=

Mobile security reinforcement

Combined with the upgrading of Alibaba's internal mobile application security reinforcement capability , We are now in mPaaS China export mobile application security reinforcement capability .

In view of the widespread mobile applications on the market 、 Tampering 、 Pirate 、 A fishing scam 、 Memory debugging 、 Data theft and other security risks ,mPaaS Mobile security reinforcement is App Provide stability 、 Simple 、 Effective safety protection , promote App Overall safety level , To ensure App Not to be cracked or attacked .

In response Android Common means of attack , such as Decompile 、 Second packing 、 Dynamic debugging, etc , We also focus on performance and compatibility .

  • Strengthening ability has gone through Taobao 、 The practice of hundreds of millions of businesses such as rookies , In terms of security ;
  • On compatibility , We support 4.2 To Android Q Of edition ;
  • Able to support arm、x86、x64 System architecture , Stable operation in complex environment , The rate of running out is low ;
  • in addition , Protection by obfuscation of classes , Increase attacker reverse App The difficulty of , Make the attack impossible .

 title=

RPC

As mPaaS One of the most important components ,RPC It provides a secure communication channel between client and server , Among them, security issues mainly include signing and encryption . The problem of adding signature is to prevent the client from being forged , The encryption solution is to prevent the request data from being leaked .

1 The signature of the

 title=

Overall process :

  1. stay mPaaS When initializing the application in the background , Will be for each one App Create a unique appSecret;
  2. Client pass appid、WorkspaceID、appSecret Etc , Generate a wireless bodyguard picture . Through the encryption of the wireless bodyguard module , It ensures the data stored on the client appSecret The security of ;
  3. When the client requests , Get... From wireless bodyguards appSecret, Simultaneous addition OperationType、time、requestData Equal factor MD5 Calculation , Add to header Send to MGS gateway ;
  4. MGS After receiving, calculate again according to the same method MD5, If the same , Pass the verification .

advantage : Through the wireless bodyguard mechanism , It ensures the built-in... In the client appSecret The security of .

2 encryption

 title=

Overall process :

  1. adopt openssl Generate asymmetric key , The client saves the public key , The server reported an error private key ;
  2. Every time the client requests RPC Will generate a new symmetric key , The asymmetric secret key generated in the first step is used for encryption , Generate SecKey;
  3. The client uses the symmetric key to encrypt the original data at the same time , Get encrypted data SecData;
  4. The mobile gateway through the saved private key pair SecKey Decrypt to get the symmetric key ;
  5. The symmetric key obtained in the previous step , Encrypt data SecData To decrypt , Get raw data .

advantage :RPC The encryption of adopts the mode of mixed encryption , A combination of asymmetric encryption and symmetric encryption is used . If you simply use a symmetric key , Although the performance is good , But not enough security . If asymmetric encryption is used alone , Although the security is guaranteed , But it will lead to poor performance , Not suitable for RPC This scenario of massive communication .

therefore RPC This hybrid encryption mode , A good combination of the advantages of the two .

3 Anti seizing bag

On the client side, in order to prevent the data from being caught by the packet capture software , The client has set to prevent packet capture , By setting the network library to prohibit agents , Solved the risk of being caught . The code is as follows :

 title=

Offline package

Many offline modules are used as business , In order to ensure that the offline package module distributed to the local is not tampered with , The offline package provides a signature verification mechanism .

Overall process :

  1. To pass ahead of time openssl Generate public and private keys , The public key is built into the client , Store the private key to the server ;
  2. When the offline package is packed , The server makes changes to the files of the current offline package MD5 Calculation , Then, the calculated value is encrypted by asymmetric secret key to generate encrypted signature data , Distribute the offline package to the client ;
  3. Every time the client opens an offline package , Obtain the distributed public key through the public key in the client MD5 And local offline package files MD5 contrast , If the same , Check through , If it's not consistent , Then delete the offline package , Direct access fallback resources .

 title=

advantage :

  • Because the offline package is verified every time it is opened , It ensures that the source of the offline package is correct and not tampered with ;
  • If the verification fails, it will be demoted directly to fallback Address , Reduce the impact on customer use

MDS Real time release

MDS Real time publishing services provide apk Publishing function of , At the same time, in order to ensure the download apk The file cannot be tampered with , Provides the basis for MD5 Integrity check of .

Upload on apk When , Will be based on the current apk Generate MD5 Send out , Download files locally during local installation MD5 And will be distributed by the server MD5 Do the matching , If the match is successful, the installation will continue .

Distributed by the server MD5 The fields are shown in the figure below :

 title=

MSS Mobile synchronization

Mobile synchronization service Sync Is based on TCP Communicating , In order to ensure safety ,Sync Can be configured as TCP+SSL Mode .

When specifying Sync The port number of is 433 After the port , The client will start based on TCP+SSL Realize long connection , After a long connection request is sent to the server , Need to pass through F5 Or other similar load devices SSL uninstall , The last to MSS Realize long connection .

The overall process is shown in the figure below :

 title=

Conclusion

With the rapid development of mobile applications , Users' privacy issues related to mobile applications 、 Security issues are increasingly concerned .

Mobile applications cover a large amount of personal data of users , In case of leakage, it may be harmful to individuals 、 Have a significant impact on society , At the same time, it is also a devastating blow to the long-term development of the mobile application industry .

Mobile app developers , Attention should also be paid to the standardization of the development process 、 Security , Fear security issues , Guard against compliance risks .


The author of this article : Alibaba cloud mPaaS TAM The team ( Rongyang )

END

 title=

Copyright notice : The content of this article is contributed by alicloud real name registered users , The copyright belongs to the original author , Alicloud developer community does not own its copyright , It also does not bear the corresponding legal liability . Please check the specific rules 《 Alicloud developer community user service agreement 》 and 《 Alibaba cloud developer community intellectual property protection guidelines 》. If you find any suspected plagiarism in this community , Fill in the infringement complaint form to report , Once verified , The community will immediately delete the suspected infringement content .

版权声明
本文为[Alibaba cloud developers]所创,转载请带上原文链接,感谢
https://chowdera.com/2021/09/20210909132704137k.html

随机推荐