Alibaba Cloud Mobile Security ensures the security of Android mobile applications with extensive vulnerability scans and malware protection. This service acts as a one-stop solution for risk management by ensuring end-to-end protection throughout the entire mobile application lifecycle, spanning from design, development, testing and release.
Mobile Security also protects the application from exposure to poorly written code, insecure API implementations, and other shortcomings.
"Using application hardening features of Alibaba Cloud Mobile Security services, Didi Chuxing effectively prevents malicious attacks, delivering safe trips for hundreds of millions of users."
"The vulnerability scan feature of Alibaba Cloud enables BEST Express to detect security vulnerabilities precisely at the testing stage, thereby avoiding key security risks before the application goes live."
1. Robust Scanning
- Guarantees up to 99.9% availability.
- Distributes traffic automatically across instances in different availability zones.
- Quickly detects unhealthy instances and routes traffic to only healthy instances.
2. Comprehensive Security Protection
- Applies comprehensive security protection technology to various applications.
- Provides high stability and compatibility.
- Ensures minimal impact on mobile applications.
3. Easy to Access
- Allows you to quickly access and integrate the security service into your system through a SaaS-based model.
- Facilitates easy automation of services and functionalities provided by mobile applications.
4. End-to-End Risk Management
- Offers risk analysis and hardening techniques for the complete lifecycle of a mobile application from the initial development stage up to the release stage.
- Provides incremental hardening from the development stage until the point of release.
5. Mobile Security Service Team
- Provides 24*7 support services through a number of industry leading white hat hackers.
- Offers expertise from distinguished speakers of Black Hat and RSA Conference.
Alibaba Cloud Mobile Security employs extensive vulnerability scans on android mobile applications to identify illegal practices. The service does not modify the code or application files but applies a security layer to prevent the vulnerabilities from being exploited.
To maximize the benefits of this service, it is recommended that the application be integrated with the service from the development phase.
Quick Application Vulnerability Detection
● Static Vulnerability Detection:
○ Scans and locates vulnerabilities statically and performs taint analysis to retrieve variable values accurately.
○ Analyses and tracks vulnerabilities at the granularity of the register.
● Dynamic Vulnerability Detection:
○ Scans and locates vulnerabilities dynamically and performs Fuzz testing to restore the real Android environment and obtain accurate results.
Application Vulnerabilities Resolution
● Provides a complete remedial solution for your mobile application based on the scan results.
Advanced Security with Application Hardening
● Applies various methods like re-encoding, shelling, and modifying the command calling sequence to enhance anti-cracking capability of your application.
● Employs techniques that focuses on application hardening intensity, while maintaining the compatibility of your application.
Core Application Hardening Techniques
● Mainstream static analysis tool prevention - effectively prevents hackers from using static analysis tools such as APKTool, dex2jar, and JEB to analyze applications’ Java-layer code.
● SO shelling -
○ Shells the SO file to effectively prevent malicious users from using tools such as IDA and readelf to analyze SO file logic.
● DEX shelling -
○ Shells the DEX file by using loading and remedial techniques during dynamic running.
○ Effectively prevents hackers from dumping the Java-layer code memory.
● Constant encryption -
○ Encrypts plaintext constant strings in the DEX file.
○ Uses the dynamic decryption feature to decrypt strings during runtime, greatly increasing the difficulty in reverse analysis.
● Java command translation -
○ Modifies the calling relationship link of the service logic at the Java layer.
○ Ensures protection of the Java-layer code from hackers, by not giving access to the entire service logic.
● Java execution simulation -
○ Detaches commands from the DEX file and simulates execution in a user-defined execution environment.
○ Effectively prevents malicious users from getting a dump of Java-layer code using commands.