Shulou(Shulou.com)05/31 Report--

This article mainly explains "what are the security risks if SDK is not reinforced?" interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Next, let the editor take you to learn "what are the security risks if SDK is not reinforced?"

What are the security risks if SDK is not reinforced?

1. It is easy to be peeped into the internal implementation details or internal call process by competitors or malicious ones, and may even disclose private data.

SDK, the Android platform, is mostly written in Java and is easily decompiled. If it's just simple confusion, it's easy to pry into the details of the internal implementation; if there's some privacy data inside SDK, it's easy to leak. More importantly, if these details relate to the key technology implementation points, it is tantamount to leaking the core technology.

two。 The malicious person implants malicious advertisements or malicious code through bytecode injection and then repackages and publishes them.

Due to the particularity of SDK, there is no signature verification logic like App, so once the malicious person has implanted some malicious code or malicious advertisement in your SDK and then reissued, it will be difficult to detect and seriously affect the brand image and reputation of the developer.

3. The cracked person bypassed the key logic and caused economic losses.

If there is a payment function in SDK, and the payment logic is found by the malicious person, which happens to involve the payment related logic and does not do a good server verification, once the malicious person removes these payment logic through AOP means, it means that the paid service will be available for free.

There may be vulnerabilities in 4.SDK itself, which can be easily exploited by malicious people.

In their development, SDK developers often focus on the implementation of functions, and generally do not pay too much attention to security, so it is difficult to ensure that there are no loopholes in their own SDK. Therefore, once there are some security vulnerabilities in SDK, and these vulnerabilities are known and exploited by malicious people, it is like laying a mine that can be detonated at any time. It not only endangers users' data and privacy security, but also seriously affects the reputation of SDK developers and even causes economic compensation in the event of an accident.

How to solve

Through the analysis of security risks, we can see that the crux of the problem is that malicious people are easy to snoop on the implementation logic of SDK. Therefore, developers are advised to take the following protective measures:

1. The modification of key data must be verified by the server: for example, the payment-related logic mentioned above, changes to data such as balance or amount paid must first be verified by the server, and then synchronize the results to the client.

two。 The key logic is implemented in the Native layer: transfer some key logic of the Java layer to the JNI layer and implement it with Cramble +, raising the threshold of decompilation.

3. String encryption: strings in the code, especially those with sensitive information, must be encrypted and decrypted at run time.

But to achieve the above points is not enough, can only prevent ordinary developers. In front of professional crackers, our painstaking development of SDK is likely to be reduced to cannon fodder in their hands, resulting in economic losses.

Therefore, it is recommended to access third-party security services, such as Yi Dun's SDK reinforcement service.

Introduction to SDK reinforcement of easy Shield

Before introducing Yi Dun SDK reinforcement, let's introduce the confusing method used by most developers on the market-Proguard. Proguard is the most widely used confusion on the Android platform, which is processed at the syntax level by abstract syntax trees, making the processed code difficult to read and understand. As follows:

However, changing the class name and method name to some meaningless random strings, such as "a _ c, can increase the cost of reading and understanding by the cracker, but the effect is obviously very limited. For the cracker, it is only a matter of time before the intent of the code is analyzed.

So what is the SDK hardening solution of easy Shield? Next, let me introduce to you:

1. The Scheme of strengthening VMP with easy Shield SDK

The method of the class to be protected is emptied, and the extracted instructions are encrypted and executed by a custom virtual machine at run time, so that the cracker can not get the original code logic.

The effect is as follows:

two。 The Scheme of strengthening Java2c with easy Shield SDK

The scheme is to Native the method of the class to be protected, and at the same time convert the logic of the original function implementation into the corresponding Native code, and execute the corresponding Native function directly at run time. The effect is as follows:

Pre-reinforcement example

Example after reinforcement

From a static analysis point of view, compared with Proguard obfuscation, it is obvious that the hardened method has been Native, and the implementation logic is completely invisible in the Java layer. The original function logic of the Java layer is transformed into the code implementation of the JNI layer. At the same time, the generated SO of the Native layer is encrypted, which makes it more difficult to crack.

(note: in the above figure, in order to see more clearly that the reinforced method has been converted to the corresponding Native layer implementation, the generated Native layer SO is not encrypted. In fact, the Java2c reinforcement scheme of easy Shield SDK will encrypt the Native layer SO generated after reinforcement.)

At this point, I believe that everyone on the "SDK is not reinforced what are the security risks" have a deeper understanding, might as well to the actual operation of it! Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.