Welcome to visit netease Cloud Community to learn more about Netease’s technical product operation experience.
The open event “Enter netease: Mobile Testing and Security Practice” was held in youhui Entrepreneurship Cafe, Building 4F, Yigao Entrepreneurship Building, Xihu District, Hangzhou. The topic of this event focuses on hot topics such as how to achieve efficient application development, secure inspection, and development power consumption to the lowest.
A number of technical experts from netease and Huawei shared their work experience and technical practice. Among them, Zhu Xingxing, a senior security development engineer of netease, shared the theme of “Android App Security Inspection Practice”. He believed that the Ministry of Industry and Information Technology increasingly requires mobile App security inspection, which leads to many developers will encounter the embarrassment of being rejected. So he suggests that tech developers should be on the lookout for the following 10 common checklists that are vulnerable to rejection when developing mobile apps.
Netease senior security development engineer Zhu Xingxing to share the scene
1. Program code security
“Many people may think that this technology content is not big, in fact, when the APP is launched, the detection party has some requirements.” Zhu Xingxing believes that when the APP is launched, the developer had better prepare the relevant “Legal Declaration and Privacy Policy”, the application of user rights call system instructions. What SDK is used to collect user data and what the user data is collected for are mandatory requirements.
2. Program code protection
Program code protection is one of the items for the inspector to judge the basic strength of code protection, which is also one of the criteria to judge whether the APP developer has a sense of security development. The most common code protection methods in the industry are as follows: the client APP adopts the code obfugation technology, adds the ability to prevent reverse decompilation by third-party reverse tools, and uses hardening, tamper-proof mechanism, and anti-secondary packaging technologies.
3. Passwords and security policies
This is a common problem in financial apps, where developers often have to worry about whether screenshots will be taken when users enter their passwords. “When we help customers solve this problem, we suggest that customers must have an anti-keylogging SDK, so that the sorting of keyboard subtitles is different every time users open it, and the APP can be safer and easier to check,” Zhu said.
Netease Cloud Security (ESHIELD) security keyboard
4. Permission and interface security
In the era of mobile Internet, the attack methods of hackers are more and more diversified. Forging user login pages to steal user information is one of them. During the test of the APP, the tester will provide the same fake login page to test whether the APP has the awareness of prevention, which requires the developer to give the user some warning information in the APP, indicating that the login or key interface has been covered.
5. Dynamic debugging
Dynamic debugging technology is also a very popular concept in the field of software reverse engineering. It means that the decoder uses debugger to track the running of software and seek the way to crack. Zhu xing xing said: “In the face of dynamic debugging, we can take the APP to strengthen the scheme, to prevent the APP from being dynamic debugging.”
6. SO injection
SO injection is also a common means of hacking, which is a required test item in the check of Android APP. According to Zhu, there are generally three solutions to solve this problem — modifying the Dlopen function in Linker to prevent third-party SO loading; The third-party SO library loaded by the application is periodically detected. If it is found to be injected, the loaded SO will be unloaded. The system under test is reinforced to prevent the system under test from being dynamically injected into third-party SO.
7. Memory data protection
How to protect your program from being read or overwritten by other programs is always an important problem for technical developers to solve. In zhu Xingxing’s share, he mentioned the memory was read and written by a third party program. “We monitor the read and write operations of /proc/pid/mem, /proc/ti/mem and other files. When these files are accessed by third-party programs, the callback function is triggered, and anti-injection and anti-debugging methods are used to prevent memory modification.”
8. Privacy and data storage
Technical developers’ code documentation can be problematic if stored in clear text. “In fact, no matter whether the APP has other problems, if the detection party detects plaintext storage in the APP, it will be called back”, Zhu Xingxing warned developers when explaining the importance of this problem, in the development stage must pay attention to whether XML, DB files have plaintext storage problems.
9. Log information is leaked
In the process of mobile APP development, the security of log information is a very important issue. Log information leakage is mainly to prevent the printed logs from being easily used as the entry point for analysis and analyzing the execution logic of the APP. In addition to static code that cannot be called to log, dynamic runtimes cannot output log information.
10. Communication and data security
Under the impact of a new round of global technological revolution, the lifestyle of users is increasingly dependent on online applications, so that communication data is showing explosive growth. However, it is worrying that the mass gathering of online data increases the possibility of data leaks, leading to threats to information security. In order to solve this threat, Zhu xing xing suggested that sensitive data be encrypted and transmitted, and the security detection of encrypted channels (including man-in-the-middle attack detection) HTTPS communication protocol be increased.
“These are just the top 10 most common apps that are easily rejected by testers,” zhu said. “There are many other apps in the industry. To avoid the embarrassment of being rejected, developers can check their apps on netease Cloud Security (ESHIELD) in advance to find and solve problems in advance and shorten the security review period.”
Netease Cloud Security (ESHIELD) is a security cloud service under netease Cloud. It provides one-stop security services covering content security, mobile security, business security and network security, and anti-ddos services. It has solved security problems for thousands of enterprises in games, e-commerce, social networking and finance. As an important part of the development work, Android App reverse protection has always been an important service provided by netease ESHIELD. Click here for a free trial.
Win10 Application design and scrapy data scraping practice