In October 2019, a post-00s generation surnamed Tian was sentenced to three years in prison and fined 10,000 yuan for illegally obtaining data from computer information systems. The party involved, Surnamed Tian, only has a junior high school education, but has a strong computer talent. During January 5, 2019 to January 15, 2019, through software capture package, PS ID card, replay attack and other means, in a bank mobile banking App using false identity information to register bank ⅱ, ⅲ accounts illegal sales profit.
Case analysis
Many people will wonder how banking apps can be exploited step by step by capturing, hacking, and replaying, making it profitable for hackers. Let’s break it down:
- First of all, Tian through my ID card information, in the normal process of registering an account, through the “software capture” technology will be issued by the bank system face recognition identity authentication data packets for interception and preservation.
- Secondly, in the input card password link, Tian will return to the App step 1 (upload personal ID photo), and input forged ID information, and enter the face recognition identity authentication link here.
- Finally, Tian used previously intercepted identity authentication data packets (including my information) to upload verification, so that the banking system mistakenly to this link need to compare my identity information, and successfully verify my face, so that it can successfully use false ID information registered to the bank account.
Client App data security is urgent
How should we re-examine data security on the client side? Through the analysis of alipay’s current design mechanism of “security on the end”, it may bring us some new inspiration.
Design of security mechanism during App development
To prevent App from being attacked by hackers or Trojan horses, Alipay creates a multi-level on-end security mechanism, which is mainly divided into three levels: “local area”, “online operation” and “App end”. In terms of local area, binary protection is realized by means of code obfuscation and encryption. When running online, data security environment created by “security black box” and encryption methods are used to prevent data leakage. At the App end, secure data storage, secure signature and other means are used to ensure the stable operation of business functions.
Client App data is securely transmitted and stored
For the client end of the data transmission and check, to achieve fine security is always a difficult challenge. With the help of the “security black box”, Alipay has implemented encryption storage for application-level data such as AppSecret and encapsulation of various upper-layer services through data signing interfaces.
With the help of the security black box, the client uses the public key and secret key encryption to discretely store the generated data to ensure the security of the encrypted secret key. The security black box itself has code confusion and multiple anti-debugging mechanisms, which greatly improves its security performance.
In addition, security black boxes based on anti-debugging technology make common debugging tools such as GDB, IDA Pro dynamic debugging analysis technology invalid, based on export table confusion, garbage instructions and other means to fully improve the attacker’s static analysis application difficulty. In this way, the security of client data transmission and storage can be fully guaranteed.
User Information Verification
With the continuous enhancement of computing power of terminal devices, mobile terminal devices can carry out very complex computing with the help of powerful CPU and GPU. A series of mobile AI engines, such as Alipay’s xNN, help us further enhance the intelligence of user information verification.
Combined with its financial business attributes, smart services such as OCR recognition of bank cards and ID cards, face recognition, and live detection have been verified by nearly 200 million users. It is characterized by high recognition accuracy, fast speed, and abundant modules. Meanwhile, it has been opened in alipay mini program.
App life cycle protection
Client App security is actually a one-stop solution from App development, online and use. In the App development stage, provide code obfuscation, data encryption, database encryption and other security development and data security capabilities; In the launch stage, the ability of App reinforcement is provided. The overall safety level of App is improved through DEX, SO, anti-decompilation, anti-repackaging and other capabilities. In the use stage, API signature, API data encryption and other means to ensure the integrity and security of data, at the same time with the security encryption keyboard to protect the security of user input information.
MPaaS client App security capability
As a mobile development platform derived from Alipay, mPaaS has completed the deposition of alipay’s finance-level end-to-end security capability, which can not only improve the service quality challenge of App under peak bandwidth, but also rank at the forefront of the industry in terms of availability under weak network conditions and risk identification ability for network requests. At present, with the reinforcement technology of mPaaS client and black box, it can guarantee the code security of mobile terminal and data security of network layer, and provide checkmark, encryption and other methods. At the same time, the gateway can identify the client environment and have the ability to intercept suspicious requests.
According to the “Mobile Financial Client Application Software Security Management Standards” issued by the People’s Bank of China in September 2019, specific requirements are put forward for client applications in data security, identity authentication security, functional security design, password and secret key management, data security, secure input, anti-attack ability, etc. It covers the whole life cycle of client application in design, development, release, operation and maintenance.
MPaaS products have passed the security assessment of China Financial Certification Center, and serve more than 2,000 customers in banking, securities, government affairs, transportation and many other industries. At the same time, mPaaS provides a full range of security protection solutions for client security, which truly helps enterprises build secure and stable mobile applications, and better achieve technology-driven business innovation and better business experience.