In the field of counterfeiting, no one knows how to imitate better than the black and gray markets.
According to security professionals, for mature counterfeit developers, it only takes a few days to create a front-end framework. Creating servers, source code, domain names, and service providers can all be solved through online leasing.
For example, an app that is launched on Apple's App Store can be replicated at a 1:1 level by the black and gray markets for a price of nearly 30,000 RMB, and it can be completed within 20 days.
If you want these counterfeit apps to be successfully launched on Apple or Android app stores, you only need to pay the corresponding fees after completion.
The reason why counterfeit developers can replicate apps so quickly is because they work on decompiling or tampering with the app.
The Importance of Anti-Tampering
Anti-tampering, as the name suggests, uses technical means to prevent reverse engineers from tampering with key information in an app, thereby strengthening the app's security.
If an app is not strengthened with anti-tampering to prevent tampering, attackers can achieve two attack vectors by inserting malicious code:
For app users, the spread of the app with malicious code can be used for phishing, telecom fraud, and other operations, causing users to lose assets or suffer other losses.
For the app server, attackers can use some interfaces between the client and the server to attack the server, causing corresponding public opinion and reputation losses to the app.
The Principle of Anti-Tampering in App Strengthening
So, how is anti-tampering implemented in app strengthening?
Let's start with app development.
An app is roughly composed of a developer, app, package name, certificate, and signature. If we compare developers to parents, the app is the child, the package name is the child's name, the certificate is the child's birth certificate, and the signature is the ID number.
Like a newborn baby, when the developer completes the app development, the app only has a name that can prove its identity, which is easy to be "switched out". To ensure the child's safety, parents need to prepare a birth certificate for the child, and then use the birth certificate to generate an ID number to prove the child's identity.
For attackers, there are two ways to abduct this "child":
1. Stealing certificates for information tampering：
By attacking the app's certificate, including the certificate file itself, the certificate's private key, and the certificate's private key alias, attackers can tamper with the app as the developer once they have successfully attacked the certificate. However, certificates are generally not easily leaked.
2. Bypassing signature and package name verification ：
directly modifying the app itself. This is equivalent to a trafficker abducting a child, and how to deal with the kidnapped child is up to the trafficker.
After understanding this principle, it is easier to understand how to prevent tampering.
To ensure that the app is not tampered with, what we need to do is to ensure the security of the app's package name, signature, certificate, and other information.
The general practice is to collect the package name, certificate, and signature of the application in advance and record them. When the attacker uses a forged certificate to generate a forged signature, we can quickly identify that the identity information of the forged signature is not consistent with the information recorded, so our strengthening program can refuse to use the app.
When the app crashes or malfunctions, we can consider whether we are using a counterfeit app.
Anti-Tampering Measures in App Strengthening
Overall, anti-tampering can be achieved through techniques such as packing, resource encryption, code obfuscation, and virtual execution.
1. Packing is the process of protecting DEX files by choosing between overall DEX protection or splitting DEX protection, hiding source code to prevent direct decompilation. When splitting DEX protection, attention should be paid to the data structure of DEX files, selecting the classdata and classcode sections, even if they are split, class data and bytecode data will not be leaked, and decompiled results will not be complete, thus ensuring high security.
2. Resource encryption is the process of encrypting resource files such as images, audio, and video in the software package to prevent attackers from replacing or tampering with them.
3. Code obfuscation is the process of obfuscating the compiled class files. The obfuscated code and the original code can perform the same function, but the obfuscated code is difficult to decompile. Even if the decompilation is successful, the true semantics of the program are difficult to discern.
4. Virtual execution involves compiling raw code into dynamic DX-VM virtual machine instructions and running them on a DX virtual machine. The compiled code cannot be decompiled back into readable source code.
However, as we mentioned in our previous article on code obfuscation, relying solely on code obfuscation and anti-tampering is not enough to stop themost determined attackers. Therefore, it is important to use multiple layers of security measures to make it more difficult for attackers to bypass app security.
In summary, anti-tampering is an important technique in app strengthening to prevent tampering and ensure the security of the app package. It can be achieved through techniques such as packing, resource encryption, code obfuscation, and virtual execution. However, it is important to use multiple layers of security measures to make it more difficult for attackers to bypass app security.
Only in this way can we prevent problems before they arise.