First call waiting a their own advertising, some friends may know, I recently created a planet of knowledge, try here for a week, found that private circle of efficiency is much better than group, paid the threshold filter out most of the advertising and did not intend to learn to share, hope here can share friends gathered more love to learn love, Long click on the qr code below to join the Programmer’s Guide to Immortality
App security two and three things
Client anti cheating, is a very important, but it is very difficult to do a good job, spear and shield is always high, the devil is high ten zhangs.
Why safe
Now almost all App is strong network related, the client shows a lot of things is through the interface obtained from the server, of course, the server will receive a great deal of data from client to upload, it ends in a two-way communication, it is easy to was intercepted by a third party, and lead to data being stolen, interface were stolen brush.
The mobile security of the App mainly includes the following:
- The key is cracked and local encrypted data is stolen
- The communication key is cracked and interface data is stolen
- Counterfeit interface data report
- The interface signature is cracked. As a result, the interface can be attacked by replay
So it boils down to these patterns:
- Decompile code
- So break
- Man-in-the-middle attack
Users want security
For users, security, you need is your sensitive data are not leak, don’t be known by the third party, so the safety of client data, typically using encryption to ensure safety, but since the data is local, so naturally need both encryption, also need to decrypt (if you don’t need to decrypt, so there would be no necessary to retain), so, In order to ensure the security of the key, the local code needs to be encrypted, and suddenly it becomes a chicken-and-egg problem, which is why there is no such thing as “local security”.
Local encryption
Local encryption, we usually start from confusion – proguard, this is the most simple encryption, lowest cost, and can be more effectively kill some on the edge of the crack in the face of the primary crackers, let they can back from the brink, prodigal son, however, to really want to crack, confuse only equal to increase the difficulty that a bit of reading, I believe that the students who do development have basically decompiled other people’s apps, through decompilation tools like Jadx, apkTool, dex2Jar, can be very convenient to find the clues to crack, especially like jadx such a decompilation artifact, directly export Gradle project to AS inside the view of the code, simply not too comfortable.
Again a little bit high, we through Dexguard shell, all kinds of services, and reinforcing the third party so service way for protection, such as the way to do great increase crackers break costs, the strengthening technology of the mainstream, the corresponding decoding technology is very mature, so, although the technology is very cow force, but as long as the crackers know the way you reinforcement, You can easily find a way to crack it, which is one more Google process than ProGuard.
Having said that, let’s look at the security of the key, which must be “hidden” in the local.
The lowest, the key is placed directly in Java code, this basically is to fool the boss, a high point, also in Java code, but not directly to let you find, in order to increase their confidence, he will put the key into several parts, and then through a certain algorithm calculation synthetic complete key, the euphoria, Again a little bit high, can put the decryption keys and so, further, also the key break up, through a certain algorithm for assembly, and again a little bit high, so do the signature check, add a flower instructions, and even some confusion (1, I, l), meat, step by step to filter the countless small white, elementary, intermediate, advanced, crackers, however, no benefit to all over the world, If your App really has such value, it will certainly appeal to the hardened hackers.After all, people are afraid of fame.
Of course, Google is always late to the game. TrustZone/TEE hardware encryption solutions have been provided by various vendors, and Google also introduced Keystore. Of course, API26 is the minimum to use, so at this point, there is almost no App that can do the lowest version 26. There is no way to use the Keystore for secure storage.
Interface signature
Interface security, the most basic guarantee is Https, while SSL domain name verification (key words: X509TrustManager, hostnameVerifier). On top of that, we usually carry a signature, or token, encrypted key string on the requested interface, which is our identity symbol. This signature is generated by the local key that we have tried so hard to hide. Usually, it is the parameters, such as the timestamp, UserID, IMEI, Mac address, etc., which are assembled, and then encrypted by means of DES, 3DES, AES, hmacSHA1, etc. After Base64 encoding generation, these encryption process will not be repeated, anyway, everyone is different, according to the keywords you go to Google.
The server wants security
The server needs security because it wants to receive requests that are actually triggered by normal users.
However, when a client is controlled by an untrusted third party (such as a user), there is little way to verify that the request is from “your” client, and there are only two ways to increase the cost of cracking.
- The local key + algorithm is used to generate the interface signature. The difficulty is how to ensure the security of the local key and algorithm, as we mentioned before
- Dynamic secret key, the generation of the key on the server, the difficulty lies in how to ensure the security of the communication protocol, but also need a local key to ensure the security of the interface requesting the dynamic key
Dynamic secret key distributed scheme, in the case of secure communication protocols, has realized value, such as an activity brush list page, you can add a front depend on the interface is used to dynamically return to the secret key, a dynamic secret key used by the client for activities page request, the secret key is not local, every request is a new secret key, Setting up the NO_PROXY pattern of the network request framework is the simplest solution.
Considering the security of server equipment, the current mainstream anti-cheating detection is carried out in the server, of course, the most important reason is that there is no way to ensure the absolute security of the local.
Identify user request links
Limit the frequency (relative number of calls) of individual apis in a set of API calls relative to other apis, based on the necessary API call flow and closed loop. Setting several hidden parameter correlation logic is linked to the business logic, and if others want to assemble the parameters themselves, this hidden constraint will often be broken.
However, this detection usually requires a certain amount of system resources. At the same time, when the business is more complex, how to ensure the real-time and efficient request detection becomes a difficult problem to balance.
Gateway layer interception, man-machine identification
- The gateway layer intercepts a large number of repeated requests from the same IP address and sets the threshold for access from the same IP address.
- Big data identification, the identification of malicious requests for the seal processing
This is the mainstream approach at present.
TCP encryption
At present most of the App data through Http interactions, but based on the TCP, we can achieve their communication protocols, in addition, the use of TCP packet disorder to increase the difficulty of the crack, in this way, using TCP heartbeat to maintain a secure communication channel, also is a very good solution, but the operation difficulty is larger.
Example Modify the processing mode of service logic
When designing the implementation scheme of business technology, the business judgment logic is put in the back end, and the client only sends it on the instruction to judge whether it is effective and to judge it on the server.
Postmodern security
Quantum encryption, white box encryption, artificial intelligence analysis, these are basically the next generation of security strategy, as far as the current, is still more illusory, but as long as the technology once mature, will certainly be an epoch-making milestone.
In addition, the knowledge planet can be shared through the reward, in the “programmer xiuxianintelligent”, click on the upper left corner can share the interface, choose to share the planet can get their own reward.