Lightweight reinforcement does not compromise security. Digital Shield iOS application reinforcement technology "stays true to its original purpose"

[51CTO.com original article] The large-scale application of smart phones has promoted the rapid development of mobile Internet, and various feature-rich apps have entered our lives, bringing convenience. At the same time, App reinforcement has also become a rigid demand. Effective reinforcement can avoid the risks of cracking, piracy, secondary packaging, injection, decompilation, etc., and improve the security and stability of the App. At present, some people still think that iOS code does not need to be reinforced because the closed nature of the Apple system leads to relatively high security of Apps under the iOS system. But in fact, it is not difficult to crack iOS applications themselves. Whether individual developers or large companies have the need to protect code security.

Recently, the Digital Alliance iOS hardening technology product team accepted an exclusive interview with 51CTO. The whole process revolved around the evolution of application hardening technology, the shortcomings of the industry's commonly used iOS application hardening methods, and the iOS application hardening product "Digital Shield" developed using binary research and development.

The Evolution of Application Hardening Technology

Application hardening technology is not a new technology. It has existed before the rise of mobile Internet. Its main function is to prevent PC applications from being cracked or stolen. In order to protect copyright, software developers will choose various methods to protect their software. Common application hardening technologies for keys are initially carried only by software, and then combined with hardware for verification and authentication, in order to enhance the strength of hardening.

With the penetration of smart phones and the increasing maturity of the Android system, the army of App developers has gradually grown, mainly divided into two schools: iOS system and Android system, corresponding to .ipa and .apk file formats respectively. After the XcodeGhost incident, people began to pay more attention to the security of Apps. From the development perspective, source code security issues are determined based on the code audit level; from the software protection perspective, solving the security issues of Apps is to obfuscate the source code, encrypt resources, and strengthen logic; from the user's perspective, that is the security of the App itself, whether it will cause loss of personal privacy and property, and whether it is a trustworthy third-party platform.

Android applications have emerged in large numbers, and corresponding reinforcement technologies have also sprung up. There are two main reasons for this phenomenon. First, there is a huge user base. Second, the programming methods are too high-level. That is, before the rise of Android, software cracking usually used compiled languages ​​such as C2 and C++. After obtaining binary results, it was relatively difficult for counterfeiters to crack the application. Android initially chose Java language for the development of upper-level applications. Java language has the characteristics of standardization and high transparency, so the security will naturally be relatively reduced. Counterfeiters can easily understand the self-check code, virtual machine and other specifications of application developers, and the difficulty of cracking is relatively low.

Android reinforcement technology has gone through several key iterations:

• Changing the original code to avoid primary analysis;
• Loading code in memory;
• Create a virtual CPU or virtual machine and turn standard official instructions into the developer's own private instructions, thereby increasing the difficulty for counterfeiters to analyze and forge.

Shortcomings of common iOS application hardening technologies in the industry

The core demand of users for App technology is that no matter what means are used, as long as the difficulty of analysis and debugging is increased without affecting the product functions.

[[254401]]

Zhang Yuping, CTO of Digital Alliance

Zhang Yuping, CTO of Digital Alliance, said that after years of evolution, the Android application hardening market has become mature, but there is still a lack of effective iOS application hardening technology on the market. In the process of promoting Digital Alliance's anti-cheating technology product "Trusted ID", it was found that many customers also have the need for iOS application hardening.

So, what are the shortcomings of traditional iOS application hardening technology? Traditional iOS application hardening methods generally use compilers to confuse program codes, submerge valid information in various invalid information, and interfere with the vision of fraud analysts. However, while the encryption method greatly increases the code size, it is also necessary to provide the application code to a third-party hardening agency and then use the compiler to do the obfuscation. For customers, they need to bear the risk of source code leakage. In the process of encrypting/hiding/obfuscating program codes, if the application package is too large, it will affect the user experience and download willingness.

Digital Shield iOS application hardening technology "stays true to its principles and yet is surprising"

At present, the development of mobile terminal reinforcement technology is basically the same as that of PC terminal, from shelling and unpacking, anti-debugging and anti-anti-debugging on Windows platform to .apk reinforcement, anti-debugging code obfuscation and shell strengthening on Android platform. On Windows platform, the anti-debugging technology from ring3 to ring0 is very mature. Compared with .ipa reinforcement, .apk reinforcement is relatively good, and there are many mature App reinforcement solutions in the industry.

Digital Shield iOS application hardening technology is "orthodox yet surprising". It uses the difficult binary hardening technology on the PC side while adding a shell to the iOS application, which not only avoids the risk of application piracy, but also prevents hackers from decompiling and thus protects the core business logic. This technology also incorporates advanced anti-debugging and string obfuscation technologies to further protect the application from being analyzed by the debugger and prevent tools such as IDA Pro from cracking the core code logic through keyword positioning.

It is reported that after using Digital Shield iOS application hardening technology, the original App size will not increase by more than 1M, and the hardening strength will not be affected, which can be described as "lightweight hardening without compromising security." The demand for this technology is mainly reflected in paid applications, enterprise applications, applications with transaction functions, and applications developed by various small and medium-sized developers who focus on intellectual property rights and cherish their own efforts.

When asked about the future breakthrough direction of Digital Alliance's iOS hardening technology, the Digital Shield iOS application hardening technology team said that they will conduct further research and development in code virtualization and other resource (image/sound) protection. At present, Digital Alliance's App hardening technology has not been applied to the Android platform, mainly because the Android platform is too complex, with many system versions and many types of devices. Even if the core technology is complete, it will take a lot of time to adapt the compatibility, and the Android platform will be launched later.

[51CTO original article, please indicate the original author and source as 51CTO.com when reprinting on partner sites]