Wondershare EdrawMind
MindMap Gallery Mobile application security requirements analysis and security protection engineering
- 35
- 2
- 1
Mobile application security requirements analysis and security protection engineering
For mobile application security, NetEase YiDun is a professional application reinforcement service provider with high compatibility, zero loss, high security, and free trial. For mobile application security, NetEase YiDun provides anti-reverse, anti-tampering, anti-debugging, and anti-secondary packaging. Waiting for a one-stop application reinforcement solution.
Edited at 2022-10-11 17:41:08
- bacteria
This is a mind map about bacteria, and its main contents include: overview, morphology, types, structure, reproduction, distribution, application, and expansion. The summary is comprehensive and meticulous, suitable as review materials.
- Plant asexual reproduction
This is a mind map about plant asexual reproduction, and its main contents include: concept, spore reproduction, vegetative reproduction, tissue culture, and buds. The summary is comprehensive and meticulous, suitable as review materials.
- Reproductive development of animals
This is a mind map about the reproductive development of animals, and its main contents include: insects, frogs, birds, sexual reproduction, and asexual reproduction. The summary is comprehensive and meticulous, suitable as review materials.
Mobile application security requirements analysis and security protection engineering
- bacteria
This is a mind map about bacteria, and its main contents include: overview, morphology, types, structure, reproduction, distribution, application, and expansion. The summary is comprehensive and meticulous, suitable as review materials.
- Plant asexual reproduction
This is a mind map about plant asexual reproduction, and its main contents include: concept, spore reproduction, vegetative reproduction, tissue culture, and buds. The summary is comprehensive and meticulous, suitable as review materials.
- Reproductive development of animals
This is a mind map about the reproductive development of animals, and its main contents include: insects, frogs, birds, sexual reproduction, and asexual reproduction. The summary is comprehensive and meticulous, suitable as review materials.
- Recommended to you
- Outline
25. Mobile application security requirements analysis and security protection engineering
1. Mobile application security threats and requirements analysis
1. Mobile application system composition
2. Mobile application security analysis
The main types of security threats to mobile applications are as follows.
(1) Security threats to mobile operating system platforms.
(2) Wireless network attacks. Such as counterfeit base stations, domain name fraud, phishing and other attack activities.
(3) Mobile application code reverse engineering. Attackers decompile and analyze the binary code of mobile applications to obtain the key algorithm ideas of the mobile application source code or steal sensitive data.
(4) Illegal modification of mobile applications. Illegal tampering with mobile applications and stealing user information. It may also pose a threat to the server.
2. Android system security and protection mechanism
1. Android system composition overview
Android is an open source mobile terminal operating system. Its system structure is divided into Linux kernel layer (Linux Kenel), system runtime library layer (Libraries and Android Runtime), application framework layer (Application Framenork) and application layer (Aplications).
Each layer of the Android system faces varying degrees of security threats. Among them, the basic layer security threat of the Android system comes from Linux kernel attacks. Common forms include APK repackaging, update attacks, etc. ---For example, implant a Trojan and then package it
2. Android system security mechanism
(1) application layer
Application layer: permission declaration mechanism. Some restrictions are set between operation permissions and objects. Only by binding permissions to objects can you have the right to operate objects. Permissions at the application layer include normal permissions, dangerous permissions, signature permissions, and signature0rSystem permissions. Normal permissions will not cause substantial harm to users; dangerous permissions may bring potential threats to users, such as reading user location information, reading phone books, etc.; signature permissions mean that only applications with the same signature can access; signature 0r System permissions are mainly used by equipment vendors.
(2) application framework layer
Application framework layer: application signing mechanism. AAll applications installed into the Android system must have a digital certificate. This digital certificate is used to identify the trust relationship between the author of the application and the application.
(3) System operation layer
1||| Sandbox separated machine.
2||| Use SSL/TSL protocol to encrypt network data transmission.
(4) The kernel layer of the system
Kernel layer: file system security, address space layout randomization, SELinux.
The kernel layer of the Android system adopts partition and Linux ACL permission control mechanisms. The Linux ACL permission control mechanism means that the access control permissions of each file are jointly controlled by its owner, the group to which it belongs, and read-write execution. Files are assigned different application IDs when they are created. They can only be accessed by other applications if they have the same application ID or are set to be globally readable and writable. Each application has its own user ID and its own private file directory. When the system is running, the outermost layer of security protection is provided by Linux. The partition where system.img is located is read-only, and the partition where data.ing is located is read-write and is used to store user data.
Hardware-based NX (NoeXecute) support was added after Android 2.3 version, which does not allow code execution in the stack. After Android 4.0, the "Address Space Layout Randomization (ASLR)" function was added to prevent memory-related attacks.
3. IOS system security and protection mechanism
1. Overview of IOS system components
The system architecture of IOS is divided into four levels: Core OS Layer, Core Services Layer, Media Layer and Cocoa Touch Layer.
(1) Touchable layer.
(2) Media layer. Provides technology for audiovisual aspects of applications.
(3) Core service layer, which provides basic system services required by applications, such as accounts, data storage, network connections, geographical location, motion framework, etc.
(4) Core operating system layer. Provide local authentication, security, external access, system and other services.
2. IOS system security mechanism
The security architecture of the IOS platform can be divided into hardware, firmware, and software.
The hardware and firmware layers consist of device keys, device group encryption steel, Apple root certification, encryption engine, and kernel.
The software layer consists of the file system, operating system partition, user partition, application sandbox and data protection class.
Based on this overall security architecture, Apple has integrated a variety of security mechanisms to protect the security of the IOS platform. The main security mechanisms are as follows:
(1) Secure boot chain. The security of the IOS platform relies on the security of the startup chain. In order to prevent hackers from attacking the startup process, the components used in the IOS startup process require integrity verification: ensuring that trust transfer is controllable. IOS startup process: After an IOS device is turned on, its application processor immediately executes the code in the read-only memory (also called boot ROM). This unchangeable code is set when the chip is manufactured and is implicitly trusted code. The boot ROM code contains the Apple root CA public key, which is used to verify that the underlying boot loader (LLB) is signed by Apple. Decide whether to allow it to load. The boot path bifurcates into two execution paths after coming out of the boot ROM: one is a normal boot; the other is the device firmware update mode, which is used to update the iOS image.
(2) Data protection. A data protection API is provided to address the risk of data leakage caused by mobile devices being lost or stolen. The API makes it as easy as possible for application developers to adequately protect sensitive user data stored in files and keychain items.
(3) Data encryption and protection mechanism, and all user data in IOS is compulsorily encrypted (--- no user settings are required). Apple's AES encryption and decryption engines are hardware-level and are located in the DMA between storage and the system. All data in and out of storage must be encrypted and decrypted by hardware, which provides higher efficiency and performance. In addition to this, IOS provides a data protection method called File Data Protection. All files use different keys when encrypting them. These keys are called Profile Keys and are stored in Netafile.
(4) Address space layout randomization. Use ASLR technology to ensure that the locations of IOS binary files, library files, dynamic link files, search and heap memory addresses are randomly distributed, thereby enhancing attack resistance.
(5) Code signing. To prevent application attacks, the iOS system requires that all executable programs must be signed with a certificate issued by Apple.
(6) Sandbox mechanism. Through the sandbox mechanism, the malicious behavior of the process can be restricted
4. Mobile application security protection mechanisms and technical solutions
1. Mobile App Security Risks
Mobile apps are vulnerable to security threats such as decompilation, debugging, tampering, and data theft.
2. Mobile App Security Reinforcement
1||| Anti-decompilation. Encrypt mobile application files to prevent attackers from using static decompilation tools. Code obfuscation for mobile applications makes it more difficult for crackers to read the code. Common confusion methods include name confusion, control confusion, calculation confusion, etc.
2||| Anti-debugging. The application sets the debugging detection function to trigger anti-debugging security protection measures, such as cleaning user data, reporting the situation of the device where the program is located, prohibiting the use of certain functions, or even exiting the operation directly.
3||| Anti-tampering, through digital signature and multi-verification protection methods, verify the integrity of mobile applications and prevent mobile application APKs from being repackaged and piracy.
4||| Anti-theft: Encrypt local data files and network communications related to mobile applications to prevent data from being stolen.
3. Mobile App Security Detection
Common mobile application App network security detection contents: identity authentication mechanism detection; communication session security mechanism detection; sensitive information protection mechanism detection: log security policy detection; transaction process security mechanism detection; server authentication mechanism detection; access control mechanism detection; Data anti-tampering capability detection; SOL injection capability detection: Anti-phishing security capability detection; App security vulnerability detection.
"Information Security Technology Basic Specifications for Collection of Personal Information by Mobile Internet Applications (App) (Draft)". Among them, for the permissions that can collect personal information in Android 6.0 and above, the minimum necessary permission reference range for service types is given. The specific requirements are: ① Map navigation: location permissions, storage permissions; ② Online ride-hailing: location permissions, Permission to make phone calls; ③Instant messaging: storage permission; ④Blog forum: storage permission; ⑤Online payment: storage permission; ⑥News information: none; ⑦Online shopping: none; ⑧Short video: storage permission; ⑨Express delivery: none; ⑩Food delivery: location permission, call permission; ⑪Transportation ticketing: none; ⑫Dating: storage permission; ⑬Job recruitment: storage permission; ⑭Financial lending: storage permission; ⑮House rental and sale: storage permission; ⑯Second-hand car transaction : Storage permissions; ⑰ Sports and fitness: location permissions, sensor permissions; ⑱ Consultation and registration: storage permissions; ⑲ Web browser: None; ⑳ Input method: None; ⑳ Security management: storage permissions, obtaining application accounts, and obtaining phone status Permissions, SMS permissions.
5. Mobile application security comprehensive application case analysis
1. Financial mobile security
Common security risks include Trojans controlling users’ mobile phones, phishing apps capturing user account information, and stealing and transferring user funds.
Security protection plan
1||| Implement mobile app security development management. Provide consulting services for financial business security needs to help customers understand potential security risks and optimize business design. When designing an app, consider application security issues. Conduct mobile security programming training to cultivate security awareness. The App adds security protection functions and provides security SDKs and components such as secure soft keyboard, anti-interface motion control, SMS protection, and site clearance. Conduct security checks and risk inspections on mobile application source code to reduce security vulnerabilities in App code and detect financial business security risks early.
2||| The mobile App network communication content is securely encrypted and protected, and the mobile Aoo application communication protocol is encrypted and protected.
3||| Mobile App security reinforcement. Perform security reinforcement on the App, such as dex encryption, smali process obfuscation, so file encryption, key function encryption, and add anti-debugging and decompilation functions.
4||| Mobile Aop security evaluation. Provide penetration testing services for mobile applications to discover security vulnerabilities in mobile applications and avoid security risks. Mobile App security monitoring.
5||| Phishing monitoring and response: Monitor and respond to counterfeiting and phishing apps, and quickly contact channels to remove counterfeit and phishing apps to avoid security impacts.
6||| App vulnerability monitoring and response, monitor new and emerging vulnerabilities in mobile devices, mobile applications, servers, etc., and avoid vulnerability risks in a timely manner. Piracy monitoring and response, monitor pirated applications appearing on App application distribution channels, and remove pirated applications at any time.
7||| Mobile threat security situational awareness.
2. Carrier Mobile Security
security threats
1||| Account and password secret capture.
2||| Exploit.
3||| Malicious code.
4||| Malicious brushing of orders and orders, forging a large number of false identities/stealing real user identities to automatically wash orders and orders in large quantities.
5||| Denial of service attack.
6||| Billing SDK cracking, through decompilation, cracking and other means, shields and cracks the operator's mobile application billing SDK.
7||| Phishing attacks. Counterfeit genuine phishing mobile applications, etc.
8||| Social engineering library fraud involves collecting user information through pirated and high-imitation applications, as well as other leaked social engineering libraries, to defraud users.
Security protection plan
1||| Reinforce operator apps and all third-party apps promoted through the operator app market.
2||| Provides virus, Trojan, and malicious code detection services for third-party AOPs submitted to the operator's application market.
3||| Provides reinforcement protection services based on anti-adjustment, anti-modification, and anti-cracking for the operator's billing SDK.
4||| Encrypt the operator's communication protocols and certificates.
5||| Provides threat situation awareness services based on mobile applications, providing real-time warnings of abnormal traffic, intrusion attacks, risky apps, etc. connected to the network.
3. Mobile office security
Mobile office mainly faces the following risks:
1||| The device is missing.
2||| Information leakage.
3||| attack on purpose. Implant malicious programs to conduct intrusion attacks on organizational servers.
4||| Shared access. Employees share devices, account passwords, and leak organizational confidential information.
5||| WiFi monitoring, access to phishing hotspots, communication data is hijacked and monitored.
In response to mobile office security issues, security vendors have proposed technical solutions such as mobile device secure access, mobile device security management, mobile malicious code prevention, and mobile App security reinforcement.
360 mobile terminal security management system solution
360 Tianji mobile terminal security management system consists of two parts: security management platform and mobile client. Through the management platform, terminals equipped with mobile clients are securely managed, and services such as terminal peripheral management, configuration push, and system parameter adjustment are provided. At the same time, Combined with the administrator-controllable security policy mechanism, it achieves more comprehensive security management and control features and solves the problems of data security and device management encountered by organizations during mobile office operations.