As we all know, code security is a core element of Android development.


On November 3rd, the 7th stop of android Bus Global Developer Forum offline salon was successfully held in Chengdu. As the leading Android developer community in China, Android Bus has been committed to holding offline technology conferences in major cities across the country in recent years to provide the most comprehensive and in-depth interpretation of security technology for Android developers.


Yin Binbin, a mobile security expert at netease ESHIELD, pointed out that secure development can effectively reduce maintenance costs for developers

Yin Binbin, mobile security expert of netease ESHIELD, was also invited to attend the conference and gave a keynote speech titled “How to Improve the security of Android Code”. For Android developers, he shared common security risks in each stage of the App development cycle, and gave suggestions to improve the security of Android code, including security development, code hardening, channel monitoring, application audit and other Android code security technology analysis.


Android application security has multiple vulnerabilities


Yin Binbin first mentioned that Android and iOS two operating systems occupy almost all the market share of mobile terminals, but compared with the latter, the Android system that lacks sufficient strict control and fails to form a perfect security ecosystem often has a lot of security risks, bringing bad influence to enterprises, developers and users.


Such as:


  • Code can be reversed: the logic of the client App can be easily obtained and reversed to obtain sensitive data in the code and program;

  • Function leakage: high-permission behaviors and functions in the client App are accessed by other unauthorized applications.

  • Debuggable: the client App can be debugged to dynamically extract and modify the program data and logic at run time;

  • Log information leakage: The client App prints and leaks auxiliary debugging information during development, including sensitive parameters.

  • Repackaging: the client App may be repackaged and released to the market for users to download.

  • Cryptography misuse: insecure cryptography implementations are used in the client App code, such as fixed hard-coded symmetric encryption, ECB mode symmetric encryption, CBC mode IV fixed, etc.

  • Sensitive information leakage: leakage of sensitive data in the client App code, such as the shared key used for authentication, background server management address that should not be exposed, etc.

  • Plaintext transmission of communication data: the data exchanged between the client App and the server is transmitted through the plaintext communication channel or encrypted transmission, but the data can still be decrypted.

  • .


With the continuous development of technology upgrade, security for mobile App development to the present stage, also has successfully introduced the concept of “safety chain”, and came into the whole chain of a full range of security services, online App development cycle development and application of the iec contains safety audit, security reinforcement and channel detection, etc.


  • Development stage: Developers should follow the security development specifications of mobile applications, use some mature security components, such as secure keyboard SDK, anti-hijacking SDK, etc. In addition, regular security assessment of the client should be carried out;

  • Test phase: use black box penetration attack and white box code audit to find security defects and vulnerabilities of mobile applications and reduce security risks;

  • Go online stage: before going online, use reinforcement, obfuscation and other technologies to reinforce applications to improve the attack threshold and reverse time cost;

  • Operation stage: monitor the third-party application market and timely find all kinds of malicious applications such as piracy, phishing and shanzhai.


Secure development can effectively reduce developer maintenance costs


Safe development refers to the reduction of safety risks in the development stage, so as to minimize safety defects and avoid safety problems in the later online operation stage, but the cost is high.


The secure Development Life Cycle (SDL) is a security assurance process that focuses on software development and aims at developing secure software applications. The core idea is to integrate security concerns into every phase of software development: requirements analysis, design, coding, testing, and maintenance. Security activities have been added at each stage from requirements to design to product release to reduce the number of vulnerabilities and minimize security defects in the software and eliminate them as much as possible before product release regression.


Yin binbin said that in this stage, on the one hand, we can carry out SDL training, strengthen the awareness of safety development, and formulate safety coding standards; The other is to use more mature security components.


Specific safety recommendations include:


  • Safety keyboard: /dev/inpu/event can read keys and touch screen, realizing random layout of safety keyboard;

  • Key security: Avoid hard coding key in code, can be locally segmented encryption storage, also consider using white box key;

  • Communication security: Communication protocols are analyzed and cracked due to man-in-the-middle attacks and weak certificate verification. Therefore, communication data encryption verification and certificate validity verification are required.

  • Anti-interface hijacking: Activity, dialog box or malicious suspension window hijacking, resulting in users being phished or mistakenly contacted, need to prevent hijacking;

  • Environment monitoring: ROOT, simulator, whether there is malicious application environment detection, Xposed plug-in, HOOK, debugger detection

  • Data check: signature check, preferably in JNI layer, multi-point check, hidden call location, or combined with network check, detect whether files in APK are tampered, data fingerprint;

  • Key logic transfer to JNI layer implementation: important logic translation from Java layer to JNI layer implementation, combined with code confusion, improve the difficulty of analysis;

  • Anti-log leakage: Prevents development log leakage. Java layer is configured by proGuard through switch control.

  • Anti-sensitive data leakage: Avoid storing sensitive data in plaintext, and consider local storage encryption (such as sharepreference and SQLite).

  • Proper use of cryptography algorithms: sha-256 instead of MD5 for Hash algorithms, not ECB mode for AES, not fixed constants for initialization of vector IV, and use /dev/urandom or /dev/random to initialize pseudorandom generators instead of SecureRandom.


The cost of discovering or preventing security risks is low in the development stage and testing stage, and the cost of security problems is high in the online stage and operation stage. Therefore, the developer should make clear the importance of security development.


Application of the audit


“As long as people are developing code, there will be security holes,” Yin said. In recent years, more and more forms of security vulnerabilities, denial of service, Webview plaintext password storage vulnerabilities deeply troubled enterprises and developers. Therefore, the importance of application audit is becoming more and more significant.


Generally speaking, the application of audit mainly includes vulnerability scanning and penetration testing.


1. Vulnerability scanning


In vulnerability scanning, black box testing is one of the more common methods and can be easily integrated into the existing development process. It can easily provide the details of the vulnerability, the number of lines of code for the vulnerability, the risk level, repair suggestions, and so on. Mobile Security Framework is a great tool for automated Mobile application Security testing.


2. Penetration test


Penetration testing can effectively detect client program security, sensitive information security, password soft keyboard security, security policy Settings, gesture password security, communication security, configuration files, denial of service, local SQL injection and other threat types.


Code to reinforce


Code reinforcement mainly includes application reinforcement (DEX file, SDK file, SO file) and source code confusion (Java, C/C++, JavaScript/HTML).


1. DEX reinforcement


As you move from Java to C++, the system becomes more granular (files, methods, instructions) and the boundary between shell logic and hardened business logic becomes blurred. Therefore, in order to achieve a balance between security and execution efficiency, DEX reinforcement can be adopted.


  • Memory loading: prevents static analysis;

  • Instruction extraction: increased the difficulty of memory Dump

  • VMP protection: command VM protection;

  • Java2C: Converts Java instructions to C execution.


2. Reinforce the SDK


Java bytecode is easy to decompile, and getting the SDK is almost like getting the source code directly. Currently, protection against THE SDK is limited to Proguard confusion during development, and there is no high level of security protection measures.


However, we can borrow the idea of Dex reinforcement to extract Java bytecode:


3. SO the carton


SO encryption includes custom section encryption and custom Linker, as shown in the following example:


  • Fix the ELF file first by building the shell SO file soinfo:

  • Import function address, get and fix (map the shell SO export function to shell SO), run init_proc and init_array;

  • Fixed shell SO file, effective export function, JNI_ONLOAD function;

  • Run the loaded SO Jni_Onload function.


Java source code confusion


In this way, you can set your own dictionary, which is one of the most common security measures.


5. C/C + +


C/C++ obfuscator-llVM obfuscator-LLVM obfuscator-LLVM obfuscator-LLVM obfuscator-LLVM obfuscator-LLVM Obfuscator


  • Control flow flattening: Converts if, while, for, do and other control statements in C, C++ and other languages into switch branch selection statements without changing source code functions. Control flow flattening is a bit like VM protection, where the case block corresponds to the VM handle and the case value corresponds to the VM Opcode.

  • Instruction replacement: There are two ways to generate conditional jump instructions. Opaque predicate and Bogus Control flow are used. Assume that opaque block0 changes to if(identity){block0; }else{junk code} or if(constant inequality){junk code}else{block0; }; Bogus Control Flow becomes if(random condition){block0; } else {block1; },else basic block block1 is copied to block0.

  • Control flow forgery.



Other common C/C++ obfuscations include:


  • Multiple branches;

  • Base block partitioning: Divide a base block into multiple base blocks. There are two methods: one is to segment the current instruction of the basic block according to probability; The other is to calculate the total number of instructions in the basic block, marked as A, and randomly generate the number less than A, marked as B. After the instructions in the basic block B are divided, A subtracts B, and several iterations are carried out until A equals 1.

  • String encryption;

  • Constant hidden;

  • Constant expansion;

  • Constant array randomization: Randomize the index of a constant in an array. A [], assuming constant array index value, randomly generated index array b, c, d [] [] [] (can generate more), cycle with z [b] [I] [d] [c] = constant after a [I] to generate random array z [], then use z [b [d] [I] [c]] to replace a [I].

  • Expression transformation: For the logical operations not, and, or, xor, you can first extract the operands into several smaller numbers for operation, and finally connect them with OR. Of course, these four operations can be completed with the Nand gate or or gate. There are other common operations that treat operands as large numbers and perform large numbers, and some operations that can be converted to SIMD instructions. As for floating point, there are many software implementations of floating point.


6. The H5 confusion


H5 obfuscation refers to the confusion of JS syntax and logic.


This is from the perspective of abstract syntax tree to analyze the source code of JS, the source string into a tree structure, and then the corresponding attributes (such as string, variable name, function name, etc.) for confusion or encryption.


Channel monitoring can sense the security situation at any time


Channel monitoring is also an important topic in the development of Android security. Its work content is mainly to report the running information such as whether the App is debugged, HOOK and unshell, so as to perceive the security situation at any time.


  • Crawler: monitor app download data from mainstream channels, including third-party markets, forums, etc.

  • Piracy identification: application icon, name, package name, resource file, code fingerprint, etc., are analyzed by similarity algorithm;

  • Data analysis: data analysis of piracy channel distribution, downloads, piracy source tracing, tampered content and so on.


conclusion


“There is no limit to defense,” said Yin Binbin, through online security coding specification requirements, before safety testing, code strengthening, in the operation of the business integrity checking based on network communication layer, standardization of SDL testing all aspects, such as security, to resist 8-9 into the attack, but there might be a new security problem.


As a result, he says, “mobile security solutions need to be more businesslike and relevant.”


Relying on netease’s 20 years of technology accumulation and the guarantee experience of dozens of business lines, netease YIDeng has a massive feature database and mature security mechanism, combined with super cloud computing and artificial intelligence technology, forming scenarios for games, finance, e-commerce, entertainment and other solutions, serving thousands of customers inside and outside the Group. “If you need more reliable mobile security, come and talk to us.” Yin Binbin finally said.


Click to experience netease ESHIELD mobile security solution for free.



Related articles: [recommended] netease Rich Sketch