In October 2019, after 00 Tianmou illegal access to computer information systems data the crime and sentenced to three years imprisonment and fined ten thousand yuan. Tianmou parties only junior high school, but it has a very strong computer talent, between January 5, 2019 to January 15 date, by capture software, PS ID, *** playback and other means, in a bank within Mobile banking App using false identity information registered bank ⅱ, ⅲ class account illegal sales profits.
case study
Many people will wonder how the Bank App is a step by step through the capture, ***, *** playback, allowing *** profitable. Let's analyze the specific crime process:
First, Tianmou through my ID card information, account registration in the normal process, issued by the bank by the face recognition system authentication packets to intercept and save the "Software capture" technology.
Second, enter the password to open the card link, Tianmou App will return to the first step (upload your photo ID card), and enter the information forged identity cards, and on this link to enter face recognition authentication.
Finally, Tianmou using the previous intercept authentication packets (including my information) upload verification, making the banking system by mistake to do this than to be part of the information on their identity, and then successfully validated my face, so that it can successfully using false identity registration certificate information to a bank account.
Client App urgent data security
How should we re-examine the data security issues the client? Alipay currently designed by parsing mechanism "end security", it may be able to bring us some new inspiration.
App development of security design
Alipay by creating a multi-level security mechanisms to prevent the end of the App or ****** *** Depending largely divided into "this area", "line run" and "App end" three levels. In this area, through code obfuscation, encryption and other means to achieve binary protection; line running, data leak prevention through the "security black box" to create a secure environment and data encryption and other means; in the App end, by means of data storage security, safety signature and other means to fully ensure the stable operation of business functions.
Client App secure transmission of data, secure storage
For data transfer and test the client to sign, to achieve the refinement of security has been a long-standing challenge of. With "safe black box", currently Alipay has been achieved using encrypted storage for application-level data such as AppSecret, interface we package all kinds of top business through data for endorsement.
Discrete storage for the data generated by the application of public key and secret key encryption to ensure the security of encryption keys by means of a security black box, the client. And secure the black box itself of code obfuscation, multiple anti-debugging mechanism, so that greatly improved safety performance guarantee.
In addition, the black box security based anti-debugging technology makes common debugging tools, such as GDB, IDA Pro's dynamic debugging failure analysis techniques, based on confusion export table, garbage and other means to fully enhance instruction difficulty *** by static analysis applications. So combining static and dynamic, client data transfers and storage security can be fully protected.
User information verification
With the continued force enhancement operator terminal equipment, the mobile terminal device by means of a powerful CPU and GPU can perform very complicated operations. And thus hastened the end of a series of mobile AI engine, xNN such as Alipay, help us to further strengthen user authentication information intelligent.
Combined with the financial end of the business property, such as bank cards and ID card OCR recognition, face recognition, in vivo detection and other intelligent services, has been nearly 200 million user authentication, with high recognition accuracy and speed, rich modules, etc., while in Alipay small program has also been open.
App Lifecycle Protection
App security on client actually set from App development, and the use of on-line one-stop solution. In App development stage, providing code obfuscation, data encryption, encryption and other security database development and data security capabilities; on-line phase, App ability to provide reinforcement by DEX packers, SO packers, anti decompile, anti-replay baling capacity improve the overall safety level of App; the use phase, through the signature API, API data encryption and other means to protect the integrity and security of data, while the keyboard by means of secure encryption to protect the security of information entered by the user.
App security capabilities mPaaS client
As from Alipay mobile development platform, mPaaS has completed the payment of the security capabilities of precipitation on the end Po financial level, not only to improve the quality of service challenges in App cope with peak bandwidth and availability in the weak network conditions, the risk for network requests the ability to identify all belong to the forefront of the industry. At present, with the reinforcement technology and black box mPaaS client, to protect the data code security and network layer of the mobile terminal security, providing endorsement, encryption, etc., while the gateway can identify the client environment, and the ability to do to intercept suspicious requests.
Combined with China's People's Bank in September 2019 introduced the "mobile banking client application software security management practices" for client applications in data security, authentication security, functional safety design, passwords secret key management, data security, safety input, aspects of anti-*** capacity are explicitly required by the comprehensive coverage of the client application in the design, development, distribution and operation and maintenance life cycle.
mPaaS product has passed safety evaluation of China Financial Certification Center and numerous service banking, securities, government, transportation and other industries more than 2000 customers. Meanwhile, for the client security mPaaS provide comprehensive security solutions to help enterprises build real security and stability of mobile applications, better to do technology-driven business innovation for business with for a better experience.