A Brief Analysis of Mobile APP Security and Compliance Testing Technology

1. Regulatory agencies and policies

To ensure that apps are safe and compliant, you need to first understand the relevant policies and regulations. For enterprises, which regulatory agencies are mainly involved in app compliance supervision? Including the Central Cyberspace Affairs Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security and the State Administration for Market Regulation, the four departments organized a special campaign across the country to combat illegal and irregular collection and use of personal information by apps. In daily app development, the main issue is security rectification from the Ministry of Industry and Information Technology.

Common laws and regulations include the "Data Security Law of the People's Republic of China", "Personal Information Protection Law of the People's Republic of China", "Information Security Technology Personal Information Security Specification", "Regulations on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications", etc.

Figure 1: Laws and regulations related to mobile security

In recent years, the Ministry of Industry and Information Technology has continuously carried out special rectification actions to promote apps that infringe on user rights. The rectification targets include three categories, namely App service providers (i.e. application software, including new application forms such as quick applications and mini-programs), software development kit (SDK) providers, and application distribution platforms.

The following is a classification of typical violations of App:

• Illegal collection of user personal information, including "private collection of personal information" and "exceeding the scope of collection of personal information";
• In terms of illegal use of user personal information, "privately sharing personal information with third parties" and "forcing users to use targeted push functions";
• In terms of unreasonable requests for user permissions, "not allowing use without permission", "frequent requests for permissions", and "excessive requests for permissions";
• In terms of setting obstacles for user account cancellation, that is, "account cancellation is difficult".

2. Detection methods

In addition to the regular spot checks by the Ministry of Industry and Information Technology, the self-checking methods for App security compliance testing include manual testing, purchasing third-party App vulnerability scanning tools (currently third-party vulnerability scanning products include: iEncrypt, Bangbang, 360, etc.), and some open source third-party tool detection kits for auxiliary use. From the technical form, it can be divided into static detection solutions and dynamic detection solutions, which are briefly introduced below.

2.1 Static Detection Solution

The static detection solution is based on decompilation technology. It decompiles the installation package of the mobile application into code files, scans and verifies them one by one, and mainly performs static scanning on configuration files, source code files, resource files, and so files. It detects sensitive permission applications and privacy-related API codes in mobile applications, and generates accurate and visual security reports.

The following tools are commonly used in this field:

✔ Apktool: Decompile Android Apk, decompile resources, and repackage Apk after making modifications.

✔ dex2jar: Decompile Apk into Java source code (convert classes.dex into jar file).

✔ baksmali: Convert dex files to smali files.

Using the above tools, developers can formulate corresponding security detection items based on security and privacy specifications, and use scripts to detect existing security and privacy issues.

The following are typical sensitive APIs in the Android system:

Figure 2 Typical sensitive APIs on Android

Advantages: fast detection speed, strong versatility and simple technology.

Disadvantages: Unable to determine compliance and cannot be detected after reinforcement.

2.2 Dynamic Detection Solution

Through packet capture & Hook sandbox or operating system sandbox technology, during the running of the APP, specific APIs are tracked (refer to the sensitive functions above) to check whether the App executes the tracked APIs, so as to determine whether it is compliant.

➪ Application Scenarios

• By capturing packets, check whether sensitive data appears in the traffic before agreeing to the Privacy Policy.
• Through Hook technology, sensitive functions are tracked to check whether the tracked functions are executed before agreeing to the Privacy Policy.

➪ Tool Recommendations

• Packet capture tools, burpsuite/charles/fiddler, etc.
• Hook framework, frida/Xposed framework, etc.

Advantages: High detection confirmation, 100% detection (will not be affected by reinforcement).

Disadvantages: complex technology and poor versatility.

3. Normalization & anti-deterioration technology

Conventional detection methods are based on installation packages and are suitable for third-party detection. They are limited in technical means and cannot efficiently and thoroughly detect security compliance issues. Manual packet capture is time-consuming and has low coverage. The Hook system method often requires rooting the phone. With the development of mobile security, rooting the phone is no longer easy and costly, and neither is suitable for normalized security compliance self-inspection.

For large apps, the business is complex and many third-party SDKs are connected, so it is inevitable to make mistakes during the development process. Conventional detection methods are difficult to fully investigate and cannot be normalized (the number of inspections by the Ministry of Industry and Information Technology and third-party organizations is limited). Compared with APK-based security self-inspection, developers have a significant advantage, that is, they have source code permissions and can freely insert custom security detection logic in various stages such as compilation. Based on this, App development can achieve more in-depth and thorough security compliance self-inspection and effectively protect user privacy and security.

The following two regular in-depth security compliance self-inspection solutions are proposed based on source code permissions. From the technical form, they can still be divided into static detection and dynamic detection modes.

The static detection capability of the solution is based on Python scripts, which can list all third-party SDKs referenced by Apps and quickly detect the privacy permissions, network requests, privacy APIs, and vulnerability API calls in each third-party SDK. It can assist the Ministry of Industry and Information Technology in quickly rectifying security review issues. Overall implementation ideas:

1️⃣ Based on the App dependency tree, a depth-first traversal algorithm is used to quickly find the list of all SDKs referenced by the App, as well as the AndroidManifest.xml, jar, and so files used by each SDK.

2️⃣Use the decompilation tool cfr to convert the jar package into a java file, and use the dx tool to convert the jar package into a dex file. Then, use the baksmali tool to convert the dex file into a smali file.

3️⃣ Read relevant policy codes and privacy code detection strategies, policy description suggestions and other json configurations. Analyze the permissions and related package information declared in AndroidManifest.xml one by one. Based on java files and smali files, complete the analysis of network requests, privacy APIs and vulnerability API calls.

4️⃣Integrate the analysis results and output the corresponding test report. Developers can conduct self-inspection and rectification based on the test report.

The flowchart and privacy policy configuration are shown in Figure 3 and Figure 4:

Figure 3: Normalized static safety testing process

Figure 4 Privacy policy configuration file

This solution has two major advantages . First, it can quickly detect the App and output a security detection report. At the same time, it has detailed path descriptions for security issues to facilitate subsequent problem solving. Second, based on variable privacy policies , it supports JSON custom privacy APIs, sensitive APIs, etc., and has strong scalability.

The solution's normalized dynamic detection capability is based on Gradle transform+ASM+Hook+dynamic proxy compilation instrumentation technology, and is ultimately applied to security and privacy detection in the form of a Gradle plug-in. It implements global instrumentation detection for sensitive APIs, privacy permission applications, and network requests based on compilation tasks, and outputs the call stack for easy troubleshooting. This method directly modifies the bytecode through the ASM bytecode operation framework during the source code compilation phase. It has good compatibility and can seamlessly hook the entire project. The following is an example of a code snippet that hooks the sensitive API "getDeviceId". There is a more detailed description of the instrumentation technology in the references at the end, so I will not go into detail here.

Figure 5 Hook sensitive API code snippet

4. Conclusion

In the era of big data, everyone's portrait on the Internet is "digitalized". In recent years, Apps have become the focus of personal information supervision. The Ministry of Industry and Information Technology has continuously carried out special rectification actions against Apps that infringe on user rights. Developers must not only improve their awareness of security and compliance, but also have a complete compliance testing system to effectively protect user information security and escort the healthy development of Apps.

References

[1] https://mp.weixin.qq.com/s/rCfUAB_xqSdZ3P0x5kLNkw

[2] http://www.gov.cn/zhengce/zhengceku/2020-08/02/content_5531975.htm