How did MDSA achieve 100% satisfaction in the APP security topic of its offline public class?

How to make Beijing more colorful after the storm? On June 27, the fourth offline open class of 51CTO MDSA was held in the conference hall on the third floor of Beijing Huangyuan Hotel. Nearly 100 APP developers, test engineers and security technology enthusiasts from mobile Internet companies participated in this offline open class.

[[138127]]

In the era of mobile Internet, APPs have penetrated into people's daily lives and occupied most of the fragmented time in life. Recently, many websites and APP clients have frequently experienced failures and information leakage. APP security is like a sharp sword that may point to the lifeline of the normal operation of an enterprise at any time.

Rather than being at a loss after a sudden change, it is better to strengthen security awareness and improve defense capabilities in daily life. For this reason, 51CTO specially invited Yan Wenbin (ID: Wanming), CTO of Beijing Naga Information Technology Development Co., Ltd.; Wuyun White Hat, Senior Security Researcher Shou Jiaowu and Baidu Cloud Security Department Senior Security Expert Hao Yi to analyze the entire life cycle and cases from the bottom layer, hardware to methods of APP security, bringing everyone a feast of mobile APP development security protection.

The open class officially started at 2:00 p.m., and first of all, Naga CTO Mr. Yan Wenbin (ID: Wanming) brought everyone a theme speech on "Android Software Protection Technology". At the beginning, he gave his own views on APP security issues. Mr. Yan believed that the current cost of software protection is very high, and the fragmented Android system and various domestic copycat Adnroid systems have caused the security market to be chaotic.

[[138128]]

Then Teacher Yan shared the protection method of Android native APP - the implementation principle of DIS.

The symbol table, string table, hash table, and relocation table in the ELF file are the four core parts of the entire ELF file. Teacher Yan pointed out that the relocation table is more important than the others.

At the same time, Mr. Yan also shared the basic process of the connector, the principle of TDK, the TDK loader class, the function of the TDK shell entry, and also made a detailed analysis of some variables in TDK for developers to use.

Finally, it is an interpretation of AOP security proxy technology and in-depth development for SO.

The rich content and wonderful analysis made the subsequent QA session extremely enthusiastic. The developers were very enthusiastic, asked questions continuously, and the on-site confrontation was extremely fierce.

[[138129]]

[[138130]]

Next, Mr. Shoushou from Wuyun White Hat will give a keynote speech on "Droid APP Security Coding".

[[138131]]

Teacher Shoushou said at the beginning that the Android system sets many permissions for access to various apps, but these permissions that seem safe are actually not.

Google believes that SD cards are public areas and do not require permissions to access them. However, users often store photos on SD cards due to their usage habits. Therefore, incidents such as pornographic photo scandals are more likely to occur on Android phones than on Apple phones.

Teacher Shoushou also reminded the students present not to upload the company's private key to the Internet when using Github, because many hackers will choose to collect some information online to attack the company.

Next, Teacher Shoushou analyzed some common and important vulnerabilities. Among them, the WEBVIEW vulnerability is the most common and the most harmful. It also includes some vulnerabilities of some domestic mobile phone manufacturers, such as Coolpad's application lock vulnerability and Lephone's arbitrary software package installation and deletion vulnerability. Many domestic mobile phones have such dangerous vulnerabilities. Hackers can silently install, delete, and send text messages when invading.

Teacher Shoushou also shared some tips and experiences on how to code safely. He suggested using third-party libraries/SDKs/tools that are updated regularly, and paying attention to the initial security design - transmission protocols, data encryption, and signature verification. In terms of development specifications, attention should be paid to test code deletion, the principle of least privilege, Don't copy without think, Owasp_Mobile_Security, and how to avoid system vulnerabilities.

Finally, Mr. Hao Yi, a senior security expert from Baidu Cloud Security Department, shared with everyone “Security Development Lifecycle in the Mobile Internet Era”.

[[138132]]

As soon as Mr. Hao came on stage, he called himself the Guo Degang of the security industry. With his humorous speech style, he made the audience laugh on such a serious topic as security, and won a lot of applause. As soon as Mr. Hao started the topic, he raised a fundamental question - what do information security engineers need to solve? This question aroused discussion among several friends behind the editor, but Mr. Hao's point of view was: "Consider time and cost to make the system meet the security quality requirements."

Afterwards, Mr. Hao spent a lot of time talking about the 16 steps of the Security Development Lifecycle (SDL), including several key aspects:

Security baseline: Determines the minimum acceptable level of security and privacy quality;

Risk assessment: including micro-modeling, privacy impact, fuzz testing, baseline improvement, penetration model, and review design;

STRIDE: Deceptive identification, privilege escalation, denial of service, information disclosure, refusal to fulfill obligations, and data tampering.

The first principle of handling security incidents: There is no guarantee that security incidents will not occur, and emergency response plans need to be made.

Finally, Mr. Hao Yi summarized the security development life cycle of the security cycle in the mobile Internet era.

After Mr. Hao's sharing, the whole open class entered the final lucky draw phase. After four rounds of questionnaires, 10 Logitech wireless mice, 5 Bluetooth speakers and 3 3G wireless routers were won by the students who came to the scene. During this process, Mr. Hao did not stop his security content speech, and analyzed the vulnerability of the information filled in the questionnaires. His humorous expression made the audience burst into laughter. According to the convention, 51CTO also gave out the final prize of this offline open class, which were 2 sets of Razer keyboard and mouse sets and 3 electronic tickets for the WOT2015 Mobile Internet Developer Conference worth 1,600.

[[138134]]

[[138135]]

[[138136]]

[[138137]]

MDSA offline open classes are held once a month, striving to help developers solve problems encountered in all aspects of mobile development. We also hope that more developers will pay attention to 51CTO and MDSA. We will continue to invite the most authoritative lecturers in the industry to share the most valuable dry goods for developers. We hope that more developers will continue to join the MDSA family. See you next time.