AISecurius
Sign InSign Up Free

Frequently Asked Questions

Android App Defender

About app signature

Q: What is an app signature?
A: Signature is a mechanism used to identify app developers and ensure the integrity of apk. Google requires every app to have a signature.
Q: Why do uploaded apps need to have a signature?
A: The reinforcement function prevents secondary packaging. You need to advance the original signature of the apk for verifying the correctness of the signature after reinforcement.

About re-signing after reinforcement

Q: apk has already signed before uploading, why re-sign after reinforcement?
A: After reinforcement, the original signature of apk will be damaged. Therefore, you need to re-sign the signature. Otherwise, the installation cannot be completed.
Q: Why do you need to re-sign the APK the same as before reinforcement?
A: If they are not the same, the reinforcement anti-secondary packaging function is triggered and cannot work properly.

The difference in functionality between the three different versions of Reinforcement

Q: About the basic version features?
A: The Basic version includes a minimum level of app protection and is available for one free trials. There is no manual after-sales service to fix problems.
Q: What are the common features of the standard version?
A: The standard version includes dex overall protection, java code virtualization, anti-dump, anti-debugging, anti-repackaging, code tamper-proof, no trial support, support for manual post-sale problem solving.
Q: Are there any special needs that the Standard version can meet?
A: The following situations can be solved by using the standard version:
  • html/js code protected apps (suitable for cross-platform frameworks like Phonegap, RN, Cordova, etc.)
  • Apps with game protection requirements (suitable for frameworks like Xamarin, Flutter, u3d-mono, cocos2dx, c#, lua).
  • Normal live apps that balance compatibility and performance.
Q: What needs can the professional meet?
A: Professional can be used in the following situations:
  • Apps with so protection requirements;
  • (non-HTML /js code) with resource encryption requirements;
  • Need to be on the Google Store;
  • Apps with anti-injection, anti-emulator, anti-open, and anti-root requirements.
Q: How to give the professional version of java code virtualization protection scope?
A: List all important classes that require special protection, for example: com.android.app.Activity.
Q: How to give the protected scope of the professional version of so?
A: Give the protection list according to the following rules:
  • If the so to be protected is in the lib folder of apk, give the full file name, for example:libabcdef.so.
  • If you need to protect the so in the assets folder, then give a full path, such as:assets/so/x86 /libabcdef.so,assets/so/armeabi - v7a/libabcdef.so

The effect of reinforcement on volume

In the following table, the inclusion size analysis before and after reinforcement for APKs of different sizes in standard version shows that the increment of reinforcement volume is almost negligible.Due to the operations such as log clearing and inclusion compression, the inclusion will become smaller after the reinforcement.

Increment (%)/volume (M)<50m(50, 100m](100, 300m]
Min-1%0.6%-4.5%
Max63%16%10.8%
Average19%2.1%-1.5%

Requirements that cannot be met by reinforcement:

Q: Does the reinforcement support sensitive data anti-crawler, signature algorithm upgrade, secret key upgrade, sensitive data encryption protection requirements?
A: No
Q: Does the reinforcement support so vmp protection?
A: No
Q: How does reinforcement prevent packet capture?
A: The reinforcement does not support anti-packet capture
Q: Can the game be hardened to prevent third-party plug-ins?
A: reinforcement does not support anti-external hanging
Q: How can I handle the failure to harden dex039?
A: Currently, dex039 only supports machines running Android 9.0. Its universality is too poor, so the reinforcement is not supported at present.If this app needs to be hardened, please turn down the minsdk version in the androidstudio project.

android reinforcement other frequently asked questions

Q: My app will crash after reinforcement. What should I do?
A: Please make sure that all functions of the app are normal before reinforcement. If the app crashes only after reinforcement, report it to the after-sales service and ask technical personnel to handle it.
Q: How do I verify that my app is hardened and functioning properly?
A: The reinforcement report contains the description of all enabled protection functions and detection methods.You can follow the steps in the report to verify whether the protection function is effective.
Q: Does the call stack change after reinforcement? Is it convenient to locate the app?
A: reinforcement does not change the app call stack.
Q: Report Failure after reinforcement[INSTALL_FAILED_INVALID_APK: Failed to extract native libraries, res=-2]
A: AndroidManifest.XML in the Application, removeextractNativeLibs="false" or addandroid:extractNativeLibs="true"

iOS App Defender

What is Bitcode?

Q: Why is Bitcode enabled?Is it possible to harden without Bitcode enabled?
A:

Bitcode is an intermediate representation in the process of source code being compiled into binary machine code, which is neither source code nor machine code.When Bitcode is enabled, Bitcode is embedded in the binaries that Xcode compiles.Apple introduced the Bitcode mechanism in Xcode7 and turned it on by default. By submitting an ipa containing Bitcode, Apple can use Bitcode to optimize or compile applications for new products or technologies after they are released without developer involvement.

Our reinforcement technology is based on Bitcode for processing, so we need to open Bitcode for packaging. Without Bitcode, we can not perform reinforcement.

You can use the following command to verify whether the binary file in the xcarchive package contains Bitcode. If the output of segname __LLVM appears, it indicates that Bitcode exists; otherwise, it indicates that there is no Bitcode.

$ otool -arch arm64 -l path_to/xxx.xcarchive/Products/Applications/xxx.app/xxx | grep LLVM

After open Bitcode package failed

Q: If xxx does not contain bitcode or xxx was built without full bitcode
A:

The reason is that bitcode is not enabled in the library file that the project relies on

  • If the library file with an error has the corresponding source code (developed by yourself or introduced by a third-party library such as Pod, and corresponding source code and Target exist in Xcode), you can find the Target in the above way and open bitcode
  • If the library file is a compiled binary file provided by a third party (without source code), you need to contact the third party to provide a version that includes Bitcode. You can also use our iOS reinforcement aid to force it to be enabled.
Q: If the message-weak_library and -bitcode_bundle (Xcode setting ENABLE_BITCODE=YES) is displayed, it cannot be used together
A: Find a configuration like-weak_library /usr/lib/libxxx.dylib inOther Linker Flags and change it to the form-weak-lxxx, For example, change-weak_library /usr/lib/libstdc++.dylib to-weak-lstdc++

If enable bitcode is set to yes for all targets, there is still no bitcode in the xcarchive package

A: Go to target -> build settings -> other c flags and add-fembed-bitcode=all, then re-archive and to make sure that the xcarchive package contains bitcode.

The effect of reinforcement on volume

A: Different reinforcement parameters will bring about different volume changes, and the same reinforcement configuration on different code is uncertain, depending on the complexity of the code itself.The following is the statistical value based on historical samples, the statistical object is the main program in the APP (excluding bitcode), and the file path is:Path_to_archive. Xcarchive/Products/Applications/AppName app/AppName, the results are for reference only.

Calculation method: Main program size after reinforcement/main program size before reinforcement (excluding bitcode)

TypeVolume growth multiplier
Base version (limit 30%) 1.1 to 1.5
Standard Edition (simple confusion) 1.3 to 1.7
Standard Edition (Common confusion) 1.3 to 2.0
Standard Edition (Strong Obfuscation) 1.5 to 2.4
Professional Edition (full features turned on) 1.4 to 2.6

After reinforcementthe size of code segments in the main program may exceed the limits of AppStore. For details,see the official documentation of AppStore Connect. Set reinforcement parameters as required.

The reinforcement aid cannot be opened

A: This is due to Apple's security mechanism. Mac OSX only allows software downloads from the AppStore by default
  • If the message "From an unidentified developer" is displayed, please refer to Apple's official instructions to open the application from an unidentified developer
  • If the message "File corrupted" is displayed, open System Preferences -> Security & Privacy -> General -> Allow Apps downloaded from the following locations, select Any Source, and try again
  • If there is no "any source", runsudo spctl --master-disablein your terminal first and try again
  • If it still does not open, download the auxiliary tool again and unzip it to another path

The Bitcode format is not recognized

Q: Prompt Make sure to compile with the official Xcode compiler
A:

Bitcode generated by a third party compiler is not recognized by Apple. Submitting bitcode in the AppStore with Bitcode enabled will be rejected with the message "Invalid Bundle" displayed. However, it does not matter if you do not enable bitcode to commit.

(1) The first case is that ollvm and other third-party compiler toolchains are used to compile the entire project. In this case, you can switch back to the default toolchain built in Xcode.

(2) The second reason is that the project integrates a third-party SDK(static library) compiled by unofficial compilers like ollvm (Apple LLVM). In case of this problem, you can use the following solution to skip the processing of third-party SDK during reinforcement

If there are two third-party SDKS that have this problem, their names arelibSDK.a and SDK.framework, and they are stored on the Desktop in the directory~/Desktop

  • Back up the original SDK by yourself
  • Execute the following command on the terminal to remove the bitcode from the SDK
    $ xcrun bitcode_strip -r ~/Desktop/libSDK.a -o ~/Desktop/libSDK.a
    $ xcrun bitcode_strip -r ~/Desktop/SDK.framework/SDK -o ~/Desktop/SDK.framework/SDK
  • Use our iOS reinforcement aid to force bitcode on for the above SDKS
  • Replace the third party SDK used in the project with the SDK processed further above
  • Pack and harden it as normal

atbCAPTCHA

Q: How do different business systems combine with sliding captcha?
A:
  • For the business interface that needs to be protected, embed the sliding verification code on the page, and the user will get a security token after sliding successfully. The business interface needs to carry the token to the background for token security verification, and then continue the business process after the verification is passed.
  • Take login as an example, the business interface without access to the verification code:Interface: http://domain/login Parameters: User name, password
  • Now in the login page access verification code, the user swipes, will get a security token Service interface after access:Interface: http://domain/login Parameters: User name, password, and security token
Q: Which browser versions does the insensitive authentication service support?
A: E8+, Chrome, Firefox and other major browsers.
Q: What's the difference between smart non-inductive mode and strong check mode?
A:
  • Intelligent insensitive mode: The system will conduct non-inductive model verification to the server according to the collected environment device information, which usually includes device model detection (detecting whether it is a simulator or there is malicious information tampering, etc.), abnormal association detection (detecting whether there is abnormal association, such as device multi-IP association in a short time, multiple verification in a short time, etc.). If the user passes the insensitive model verification, it can be verified without the need for sliding verification.
  • Strong verification mode: The user is forced to complete the verification before passing each pass. It is generally recommended that the user select this mode in some business links requiring high verification requirements, such as registration, obtaining SMS verification code and so on.
  • About mode switching: Access customers can independently select the required verification mode under the application configuration according to their actual needs.

Device Fingerprinting

Universal

Q: Return token length is sometimes inconsistent?
A: The token is returned in two cases: size=40 The risk control background generates the token. If size>40 is used to generate the token locally.Both tokens are valid tokens and can be used for services.
Q: Why does the returned token remain unchanged?
A: In a non-risk environment, the token has a local cache in the SDK. Generally, the duration is 24 hours.In a risk-free environment, the device requests the back-end to obtain the latest token.
Q: The difference between token and fingerprint
A: A fingerprint is a unique device identifier that exists only on the back-end server.A token is a timeliness product of the communication between the client and the back-end. The device fingerprint corresponding to the token can be obtained through the Server API.
Q: What is a degraded token
A:

It is the phase of fingerprint collection and reporting. Due to the slow call to the link card, the interface returns a timeout. The fingerprint sender encrypts the reported data as a temporary token, which is called a degraded token.The web and mobile terminals support the degraded token, but the applet side does not. The degraded token has a long length and can be passed to the back end normally for fingerprint analysis.

The degraded state refers to the current degraded state. If the network is normal after the next call to getToken() and the last degraded state is found, the data will be collected again and submitted to the fingerprint server of the device to obtain the normal token.

Q: Why is the token obtained empty?
A:

If the mobile sdk or web side integrates device fingerprint, degraded token will be generated when the network is not good, that is, the length of token will be very long, and the fingerprint can be resolved.First, if you fail to obtain the token, check the front-end logic and determine whether to capture the degraded token and send it to the back-end for verification.Note Do not customize the token; otherwise, the device fingerprint cannot be resolved. Small program does not degrade token logic, network exception or access error will not get the token.

If the token is empty, check the following

  • Check whether the network is connected and whether services can be requested
  • Check whether the appid is correct
  • Check whether the wrong interface is requested, web side -/c1, mobile side -/m1, applet side -/w1
Q: Why is there a token that is not resolved to the device fingerprint?
A:

First confirm whether it is the correct fingerprint token.The normal token length is 40 bits, and the fingerprint can be resolved.

If the token length is 41 bits, the following reasons may be caused

  • Failure to integrate js. For example, the private service integrates Saas js
  • The token obtained by c1 interface of web side and w1 interface of wechat side is directly requested, but not collected and reported through js
  • Messages are lost or wrong for some reasons, and the server cannot decrypt them, which may be caused by js compilation by the client framework or affected by the device environment.If the get request message is too long and the message is lost, the solution is that the front-end supports the post request. Other forged tokens or service custom tokens cannot resolve fingerprints.
Q: The device fingerprint is blank the first time, but no problem is found the second time or later. What is the reason?
A: The first fingerprint request is no data collection request. It depends on whether there is cache in the request header. If the first fingerprint request is returned as empty, a second request for data collection is automatically initiated, and the token is cached in the request.

Android

Q: After integrating SDK, run flash back?
A: Check whether the assets file is integrated and whether the confusion configuration is correct. If the log displays:I/libjdi sdk init cache failed, if yes, please check whether the assets file of SDK is integrated.
Q: After the sdk is integrated, will the app be stuck when exiting?
A: directly use theandroid.os.Process.killProcess(android.os.Process.myPid())way to exit the app will be stuck. Need to close all the activity to performandroid.os.Process.killProcess(android.os.Process.myPid()).
Q: The http address could not be accessed and logcat reported an errorCleartext HTTP traffic to xxx not permitted
A: please in AndroidManifest Application new add:android:usesCleartextTraffic="true"
Q: Private client, token does not want to cache by default.
A: You can configureparams.put("PRIVATE_CLEAR_TOKEN", "clear");

iOS

Q: There are questions forunsupported architectures [x86_64, i386],
A: As shown below: Please configure the corresponding shelving script. For the access script, see "Configuration Packaging Script" in the access document:
Q: There is an error in the script copy of SDK access pdf version
A: Please use the web version Script for processing. In Build Phases, please place the Run Script after the Copy Files to run
Q: New version of xcode access risk sdk reportBuilding for iOS Simulator, but the linked and embedded framework 'DXRisk.framework' was built for iOS + iOS Simulator.
A: Modify the Validate Workspace in the project configuration to Yes, and then recompile
Products
Developers
Company
Legal
    facebookgithubreddit
Copyright © 2024 AISECURIUS, Inc. All rights reserved
Hi! We are glad to have you here! Before you start visiting our Site, please note that for the best user experience, we use Cookies. By continuing to browse our Site, you consent to the collection, use, and storage of cookies on your device for us and our partners. You can revoke your consent any time in your device browsing settings. Click “Cookies Policy” to check how you can control them through your device.