Recently, the list of the 5th (2022) Digital Finance Innovation Competition sponsored by China Electronic Banking Network and Digital Finance Joint Publicity Year was released. Ant Digital's mPaaS full-link terminal security solution won the "Digital Platform Innovation Award". Ant Digital mPaaS is a mobile development platform that integrates Alipay's many technological capabilities, providing a cloud-to-end one-stop solution for mobile application development, testing, operation and maintenance. In terms of mobile security, mPaaS is based on Alipay's years of business practice experience. The mPaaS full-link terminal security solution has been developed to help enterprises solve network security compliance and other issues in the process of business mobility.
On June 24th, Ant Group and FreeBuf, a new internet security media, jointly held an open class on mobile security. Ye Mingyu (Ye Yu), an mPaaS technical expert of Ant Group's digital technology, explained the overall solution and practice of mPaaS mobile security compliance online. We will organize the content Come out and share with everyone.
|Content Review|
Ye Yu discussed from three dimensions: first, the current security status of mobile APPs, including mobile security and mobile privacy compliance; secondly, how Ant solves the problem of terminal security and how the full-link security compliance system is Strengthen security protection capabilities; finally, a brief introduction to the application scenarios of the mobile privacy compliance management and control system in Ant is made.
|Status of Mobile Security Compliance|
According to the data of the Academy of Information and Communications Technology, 70.22% of financial apps have high-risk vulnerabilities, 6.16% of financial apps are infected by malicious programs, over 80% of financial apps have not undergone any security reinforcement, and N financial apps are out of range to varying degrees. The situation of requesting user permissions, and some third-party SDKs have security risks such as covert collection of user information and their own security vulnerabilities. It can be seen that the security risks of APPs are common in the process of business mobilization of enterprises.
Let’s look at an example of privacy compliance industry standards, regulatory activities, and penalties. Especially after the Personal Information Protection Law of the People’s Republic of China came into effect on November 1, 2021, companies are paying more and more attention to the protection of rights and privacy. As of March 2022, the Ministry of Industry and Information Technology has organized the inspection of 21 batches of 2.44 million APPs, notified a total of 2,049 violating APPs, and removed 540 APPs that refused to rectify, and regulatory penalties are still ongoing.
In addition, since 2015, domestic financial institutions have begun to try to use face recognition as a user identity verification method, and directly rely on the results of face identity verification for APP business. After the face verification is passed, it has the authority to open an account, make payment/transfer, and apply for business online. As a result, there are more and more attacks on face recognition by hackers, and the security of live face verification technology needs to be developed and solved urgently.
|Full-link mobile security protection|
How does Ant solve the problem of terminal security? What solution/architecture system does Ant use to improve its security protection capabilities?
Ant has built an mPaaS full-link security compliance system, which covers various platforms such as Android, iOS, H5, and Mini Programs, as well as the entire R&D life cycle, including from development to launch and post-operation and maintenance. The overall system diagram is divided into four categories from bottom to top:
1. Data security services; with the help of "mobile gateway", "threat perception/equipment risk", "secure keyboard", "secure computing/storage", etc., to ensure mobile App password key management, data transmission, storage security, and attack dynamics Defense, and with the help of "security reinforcement", it provides comprehensive App reinforcement services to ensure the online operation of applications to avoid risks such as tampering, cracking, and debugging.
2. Security and privacy management and control services; with the help of "mobile security detection", "mobile privacy compliance detection", "mobile privacy compliance aspect", etc., it helps mobile apps to comprehensively check security loopholes, evaluate whether personal information collection is compliant, and provide security Bug fixes and suggestions.
3. Biometric authentication security services; with the help of "real person authentication/living body recognition", "document recognition", "face security", and "IFAA financial-level identity authentication", the security of identity authentication in specific scenarios of financial apps is realized, and user information is fully protected , business transaction data security, while protecting the authentication itself.
4. Application security hardening services; with the help of "android security hardening" and "ios/h5 security hardening", the risks of mobile apps being cracked, debugged, and tampered on the terminal are reduced.
However, "security hardening" is not a panacea. For experts, if the mobile App is reinforced and packed, it will also be unpacked, and the code will be injected through the App on other mobile phones to overcome the logical restrictions of the business. In this case, how does the business side know whether it has been attacked? Or is the "request" traffic that has been transformed by hackers? How to do protection?
Alipay and Ant major apps have introduced mobile gateways. Mobile gateways are the bridge connecting the mobile app client and server. That is to say, when traffic comes in, it will pass through the gateway and then go to the backend for signature verification and decryption. After the traffic reaches the backend It will be distributed to the business side for further processing. The terminal security SDK perceives risks in advance on the terminal, and transmits various data characteristics on the terminal to the back-end for big data calculation and machine learning. At the same time, there will be a special security team for further analysis of the data. This forms a complete set of black device awareness and terminal environment security awareness capabilities, and this set of capabilities/models can monitor various business traffic from the gateway, block malicious traffic, or introduce traps and other methods for policy control.
This solution can be used not only within Alipay, but also on external apps. Typical application scenarios occur in various marketing activities, such as in the activities of robbing various coupons, through this solution, the "sweeping wool" traffic introduced by Zhuhai production can be used. Other application scenarios include train ticket grabbing business anti-swiping, transfer risk control system risk decision-making, etc.
|Mobile Privacy Compliance Control|
Alipay has developed a complete set of systematic solutions based on years of practice, which are divided into three layers of control before, during and after the event.
In advance, the risk checkpoint audit is mainly controlled by two methods: dynamic and static risk scanning and authority compliance authorization.
The main thing is to conduct an aspect of all APIs through the mobile privacy compliance security aspect, so as to monitor the permissions and privacy exceptions involved in the use of each user.
After the fact, after a problem occurs, the enterprise side issues instructions based on the monitored data to block the abnormal privacy or risky places, so as to minimize the risk.
At present, the relevant capabilities provided by many external manufacturers are only reflected in the ex-ante part and cannot fully control the risks, while the mobile privacy compliance solution can help enterprises to respond quickly and timely in the testing process, online process and after problems arise. .
On the whole, the mobile privacy compliance aspect is the core point. Generally, "user information" can be directly called to the bottom-level API call, but now it is intercepted and all calls are brought to the control plane, that is, from the The path from "1" to "2", through which the overall online situation can be controlled, and when problems are encountered, they can be backtracked and managed to release risks.
How to find the above-mentioned risks in practice?
Ant has made a mobile privacy compliance control panel covering a series of privacy exception definition information, including out-of-scope application permissions, over-frequency, background calls, etc. When a risk occurs, it can be closed according to the automatic generation and control distribution configuration of the call chain, and only the part of the control and control can be closed in a targeted manner without affecting other services.
|Communication and Interaction|
That's all we have to share today!
If you are interested in further communication, you are welcome to scan the code to join the Dingding group of "Ant mPaaS & FreeBuf Open Class Q&A Group", thank you for participating in today's technology sharing, and hope to gain something.
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。