Welcome to visit netease Cloud Community to learn more about Netease’s technical product operation experience.
Because the Ministry of Industry and Information Technology has increasingly increased requirements for mobile App safety inspection, most of them cannot meet the requirements of the Ministry of Industry and Information Technology without reinforcement. At the same time, developers mainly reinforce apps to prevent the following 10 test items from appearing problems and affecting App shelves.
1. Program code security
“Many people may think that the technical content of this is not big, but in fact, when the App is launched, the detection party has some requirements.” Zhu Xingxing, senior security development engineer of netease, believes that when the App is launched, the developer had better prepare the relevant “legal Statement and Privacy Policy”, and apply for user permission to call the system description. What SDK is used to collect user data and what the user data is collected for are mandatory requirements.
2. Program code protection
Program code protection is one of the items for the inspector to judge the basic strength of code protection, which is also one of the criteria to judge whether the App developer has a sense of security development. The most common code protection methods in the industry are as follows: the client App adopts the code obfugation technology, adds the ability to prevent reverse decompilation by third-party reverse tools, and uses hardening, tamper-proof mechanism, and anti-secondary packaging technologies.
3. Passwords and security policies
This is a common problem in financial apps, where developers often have to worry about whether screenshots will be taken when users enter their passwords. “When we help customers solve this problem, we suggest that customers must have an anti-keylogging SDK, so that the sorting of keyboard subtitles is different every time users open it, and the App can be safer and easier to check,” Zhu said.
4. Permission and interface security
In the era of mobile Internet, the attack methods of hackers are more and more diversified. Forging user login pages to steal user information is one of them. During the test of the App, the tester will provide the same fake login page to test whether the App has the awareness of prevention, which requires the developer to give the user some warning information in the App, indicating that the login or key interface has been covered.
5. Dynamic debugging
Dynamic debugging technology is also a very popular concept in the field of software reverse engineering. It means that the decoder uses debugger to track the running of software and seek the way to crack. Zhu xing xing said: “In the face of dynamic debugging, we can take the App to strengthen the scheme, to prevent the App from being dynamic debugging.”
6. SO injection
SO injection is also a common means of hacking, which is a required test item in the check of Android App. According to Zhu, there are generally three solutions to solve this problem — modifying the Dlopen function in Linker to prevent third-party SO loading; The third-party SO library loaded by the application is periodically detected. If it is found to be injected, the loaded SO will be unloaded. The system under test is reinforced to prevent the system under test from being dynamically injected into third-party SO.
7. Memory data protection
How to protect your program from being read or overwritten by other programs is always an important problem for technical developers to solve. In zhu Xingxing’s share, he mentioned the memory was read and written by a third party program. “We monitor the read and write operations of /proc/pid/mem, /proc/ti/mem and other files. When these files are accessed by third-party programs, the callback function is triggered, and anti-injection and anti-debugging methods are used to prevent memory modification.”
8. Privacy and data storage
Technical developers’ code documentation can be problematic if stored in clear text. “In fact, no matter whether the App has other problems, if the detection party detects plaintext storage in the App, it will be called back”, Zhu Xingxing warned developers when explaining the importance of this problem, in the development stage must pay attention to whether XML, DB files have plaintext storage problems.
9. Log information is leaked
In the process of mobile App development, the security of log information is a very important issue. Log information leakage is mainly to prevent the printed logs from being easily used as the entry point for analysis and analyzing the execution logic of the App. In addition to static code that cannot be called to log, dynamic runtimes cannot output log information.
10. Communication and data security
Under the impact of a new round of global technological revolution, the lifestyle of users is increasingly dependent on online applications, so that communication data is showing explosive growth. However, it is worrying that the mass gathering of online data increases the possibility of data leaks, leading to threats to information security. In order to solve this threat, Zhu xing xing suggested that sensitive data be encrypted and transmitted, and the security detection of encrypted channels (including man-in-the-middle attack detection) HTTPS communication protocol be increased.
For more details, please see: zhu Xingxing: Top 10 Apps most Likely to be Rejected
Netease Cloud Yi Shield provides Android application reinforcement solutions, interested friends can click here for free trial.
A free trial of IOS app Reinforcement is available here.
Related articles: [recommended] adaptation of those things