Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to effectively improve the security of Android code system, many people may not know, in order to let everyone know more, Xiaobian summarized the following content for everyone, I hope you can gain something according to this article.

As we all know, code security is a core element of Android development work.

Android app security has multiple hidden dangers

Yin Binbin first mentioned that Android and iOS two operating systems occupy almost all mobile market share, but compared with the latter, lack of strict enough control and failure to form a perfect security ecosystem Android system, often there will be a lot of security risks, to enterprises, developers and users have brought bad influence.

For example:

Code reversibility: The logic of the client App can be easily retrieved and reversed to obtain sensitive data in the code and program;

Function leakage: high-privilege behaviors and functions in the client App are called and accessed by other unauthorized applications;

Debuggable: Client App can be debugged, dynamically extracting and modifying program data and logic at runtime;

Log information leakage: The client App prints and leaks auxiliary debugging information during development, including sensitive parameters and other information;

Secondary packaging: Client apps may be modified code, repackaged and released on the market for users to download;

Cryptographic misuse: Unsecure cryptographic implementations are used in the client App code, such as fixed hard-coded symmetric encryption, ECB mode symmetric encryption, CBC mode IV fixed, etc.;

Sensitive information leakage: sensitive data is leaked from the client App code, such as shared keys used for authentication, background server management addresses that should not be exposed, etc.;

Clear text transmission of communication data: The data exchanged between the client App and the server is transmitted through a clear text communication channel, or encrypted, but the data can still be decrypted;

......

With the continuous development and upgrading of technology, mobile App security protection has developed to the present stage, and the concept of "security ecosystem chain" has been successfully introduced, and a full set of security services integrated into the whole App development online cycle chain has emerged. This ecosystem chain includes security development, application audit, security reinforcement, channel detection, etc.

Development phase: Developers should follow the security development specifications of mobile applications, use some mature security components, such as security keyboard SDK, anti-hijacking SDK, etc., and regularly conduct security assessments on clients;

Test phase: black box penetration attack and white box Code Audit are used to discover security defects and vulnerabilities of mobile applications and reduce security risks;

On-line stage: before on-line, use reinforcement, confusion and other technologies to strengthen the application, improve the attack threshold and reverse time cost;

Operation phase: Monitor the third-party application market and timely discover various malicious applications such as piracy, phishing and copycat.

Safe development can effectively reduce developer maintenance costs

Safety development refers to reducing safety risks in the development phase, thus minimizing safety defects and avoiding safety problems in the later online operation phase, but the cost is higher.

The Security Development Life Cycle (SDL) is a security assurance process focused on software development aimed at developing secure software applications. The core idea is to integrate security considerations into every phase of software development: requirements analysis, design, coding, testing, and maintenance. Security activities are added at each stage from requirements, design to product release to reduce the number of vulnerabilities in the software and minimize security flaws, eliminating vulnerabilities as much as possible before product version regression.

Yin Binbin said that at this stage, on the one hand, SDL training can be carried out to strengthen security development awareness and formulate security coding specifications; on the other hand, more mature security components can be used.

Specific safety recommendations include:

Security keyboard: /dev/input/event can read the keys and touch screen to achieve random layout of the security keyboard;

Key security: avoid hard-coded keys in the code, can be stored locally segmented encryption, also consider the use of white box keys;

Communication security: man-in-the-middle attack, weak certificate verification, etc. cause the communication protocol to be analyzed and cracked, and it is necessary to encrypt and verify the communication data and verify the validity of the certificate;

Anti-hijacking interface: Activity, dialog box or malicious floating window hijacking, resulting in user phishing or accidental contact, anti-hijacking is required;

Environment monitoring: ROOT, simulator, whether there is malicious application environment detection, Xposed plug-in, HOOK, debugger detection

Data verification: signature verification, preferably implemented in the jni layer, multi-point inspection, hidden call location, or combined with network verification, to detect whether the file in the APK has been tampered with, data fingerprint;

Key logic transfer to jni layer implementation: important logic from java layer translation to jni layer implementation, combined with code confusion, improve analysis difficulty;

Anti-log leakage: prevent development log leakage, through switch control, Java layer through proguard configuration;

Prevention of sensitive data leakage: avoid storing sensitive data in plaintext, consider local storage encryption (sharereference, sqlite, etc.);

Use cryptographic algorithms correctly: Hash algorithm uses SHA-256 instead of MD5, AES does not use ECB mode, initialization vector IV does not use fixed constants, use/dev/urrandom or/dev/random to initialize pseudo-random number generator instead of SecureRandom.

The cost of discovering or preventing security risks in the development and testing phases is low, and the cost of security problems in the launch or operation phases is high. Therefore, developers should clearly understand the importance of security development.

application audit

"As long as people are developing code, there will be security vulnerabilities," Yin Binbin said. In recent years, security vulnerabilities have become more and more diverse, with denial-of-service, Webview plaintext password storage and other vulnerabilities deeply plaguing enterprises and developers. Therefore, the importance of application audit is becoming more and more obvious.

Generally speaking, the main ways to apply audit include vulnerability scanning and penetration testing.

1. vulnerability scanning

Black-box testing is one of the more common tools in vulnerability scanning and can be easily integrated into existing development processes. It can easily provide vulnerability details, vulnerability code lines, risk level, fix recommendations, and so on. Automated Mobile Security testing framework Mobile Security Framework is a great tool.

2. penetration testing

Penetration testing can effectively detect client program security, sensitive information security, password soft keyboard security, security policy settings, gesture password security, communication security, configuration files, denial of service, local SQL injection and other threat types.

code hardening

Code hardening mainly includes application hardening (DEX file, SDK file, SO file) and source code obfuscation (Java, C/C++, JavaScript/HTML).

1. DEX reinforcement

From Java to C++, the more you go to the bottom, the finer the granularity of the system (files, methods, instructions), and the more blurred the boundary between shell logic and hardened business logic. Therefore, in order to achieve a balance between security and execution efficiency, DEX reinforcement can be used.

Memory loading: prevents static analysis;

Instruction extraction: increase the difficulty of memory Dump;

VMP protection: instruction virtual machine protection;

Java2C: Transforms Java instructions to C execution.

2. SDK Hardening

Java bytecode is easier to decompile, get SDK basically equal to directly get the source code. Currently, protection against SDKs is limited to Proguard obfuscation during the development phase, and there are no higher-intensity security measures.

But you can borrow the idea of Dex hardening to extract Java bytecode:

3. SO reinforcement

SO encryption includes custom section encryption and custom linkers, as shown in the following example:

First determine ELF file, i.e. build shelled SO file soinfo, then relocate repair:

import function address, get and fix (map shell SO export function to shell SO), run init_proc and init_array;

Fix the SO file that was shelled, valid export function, JNI_ONLOAD function;

Run the shelled SO Jni_Onload function.

4. Java source code obfuscation

In this way, you can set up your own dictionary, which is also one of the most commonly used security protection methods.

5. C/C++ confusion

C/C++ obfuscation can be efficiently implemented using the Obfuscator-LLVM tool, mainly including the following methods:

Control flow flattening: without changing the function of source code, the control statements such as if, while, for, and do in C, C++, etc. are converted into switch branch selection statements. Control flow flattening is a bit like virtual machine protection, with case blocks corresponding to vm handles and case values corresponding to vm opcodes.

Instruction substitution: There are two ways to generate conditional jump instructions, one called opaque predicate and the other called bogus control flow. Suppose the basic block0,opaque predicate becomes: if(identity){block0;}else{garbage code} or if(constant inequality){garbage code}else{block0;};bogus control flow becomes if(random condition){block 0;}else{block1;}, the basic block of else is copied to block0.

Control flow forgery.

Other common C/C++ obfuscations include:

multiple branching;

Basic block partitioning: Dividing a basic block into several basic blocks. There are two methods: one is to divide the current instruction of the basic block according to probability; the other is to calculate the total number of instructions of the basic block, labeled a, randomly generate the number less than a, labeled b, divide the basic block after b instructions, subtract b from a, and perform multiple iterations until a equals 1.

String encryption;

constant hiding;

constant expansion;

Array randomization of constants: Randomizes the index of a constant in an array. Suppose constant array a[], index value i, randomly generate index arrays b[], c[], d[](more can be generated), loop z[b[c[d[i]]]=a[i] to generate random constant array z[], then replace a[i] with z[b[c[d[i]]]].

Expression transformation: For the logical operations not, and, or, xor, the operands can be extracted into multiple smaller numbers for operation, and finally connected with or. Of course, these four operations can be completed with NAND gates or NOR gates. There are other common operations that treat operands as large numbers and perform large number operations, and there are also operations that can be converted to SIMD instructions for operation. As for floating-point numbers, there are many software implementations of floating-point numbers available.

6. H5 Confusion

H5 obfuscation refers to confusion from JS syntax and logic.

This is to parse JS source code from the perspective of abstract syntax tree, convert source code string into tree structure, and then obfuscate or encrypt corresponding attributes (such as string, variable name, function name, etc.).

Channel monitoring can sense security situation at any time

Channel monitoring is also an important topic in Android security development, and its work content is mainly the report of run-time information such as whether the App is debugged, HOOK, and shelling, so as to perceive the security situation at any time.

Crawler: Monitor download data of mainstream channels, including third-party markets, forums, etc.;

Piracy identification: application icon, name, package name, resource file, code fingerprint, etc., using similarity algorithm analysis;

Data analysis: distribution of piracy channels, downloads, piracy traceability, tampering with content and other data analysis.

After reading the above, do you have any further understanding of how to effectively improve the security of Android code? If you still want to know more knowledge or related content, please pay attention to the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.