Alibaba Cloud Mobile Security ensures the security of Android mobile applications with extensive vulnerability scans and malware protection. This service acts as a one-stop solution for risk management by ensuring end-to-end protection throughout the entire mobile application lifecycle, spanning from design, development, testing and release.
Mobile Security also protects the application from exposure to poorly written code, insecure API implementations, and other shortcomings.
"Using application hardening features of Alibaba Cloud Mobile Security services, Didi Chuxing effectively prevents malicious attacks, delivering safe trips for hundreds of millions of users."
"The vulnerability scan feature of Alibaba Cloud enables BEST Express to detect security vulnerabilities precisely at the testing stage, thereby avoiding key security risks before the application goes live."
● Guarantees up to 99.9% availability.
● Distributes traffic automatically across instances in different availability zones.
● Quickly detects unhealthy instances and routes traffic to only healthy instances.
Comprehensive Security Protection
● Applies comprehensive security protection technology to various applications.
● Provides high stability and compatibility.
● Ensures minimal impact on mobile applications.
Easy to Access
● Allows you to quickly access and integrate the security service into your system through a SaaS-based model.
● Facilitates easy automation of services and functionalities provided by mobile applications.
End-to-End Risk Management
● Offers risk analysis and hardening techniques for the complete lifecycle of a mobile application from the initial development stage up to the release stage.
● Provides incremental hardening from the development stage until the point of release.
Mobile Security Service Team
● Provides 24*7 support services through a number of industry leading white hat hackers.
● Offers expertise from distinguished speakers of Black Hat and RSA Conference.
Alibaba Cloud Mobile Security employs extensive vulnerability scans on android mobile applications to identify illegal practices. The service does not modify the code or application files but applies a security layer to prevent the vulnerabilities from being exploited.
To maximize the benefits of this service, we recommended that the application be integrated with the service from the development phase.
Quick Application Vulnerability Detection
● Static Vulnerability Detection:
○ Scans and locates vulnerabilities statically and performs taint analysis to retrieve variable values accurately.
○ Analyses and tracks vulnerabilities at the granularity of the register.
● Dynamic Vulnerability Detection:
○ Scans and locates vulnerabilities dynamically and performs Fuzz testing to restore the real Android environment and obtain accurate results.
Application Vulnerabilities Resolution
● Provides a complete remedial solution for your mobile application based on the scan results.
Advanced Security with Application Hardening
● Applies various methods like re-encoding, shelling, and modifying the command calling sequence to enhance anti-cracking capability of your application.
● Employs techniques that focuses on application hardening intensity, while maintaining the compatibility of your application.
Core Application Hardening Techniques
● Mainstream static analysis tool prevention - effectively prevents hackers from using static analysis tools such as APKTool, dex2jar, and JEB to analyze applications’ Java-layer code.
● SO shelling -
○ Shells the SO file to effectively prevent malicious users from using tools such as IDA and readelf to analyze SO file logic.
● DEX shelling -
○ Shells the DEX file by using loading and remedial techniques during dynamic running.
○ Effectively prevents hackers from dumping the Java-layer code memory.
● Constant encryption -
○ Encrypts plaintext constant strings in the DEX file.
○ Uses the dynamic decryption feature to decrypt strings during runtime, greatly increasing the difficulty in reverse analysis.
● Java command translation -
○ Modifies the calling relationship link of the service logic at the Java layer.
○ Ensures protection of the Java-layer code from hackers, by not giving access to the entire service logic.
● Java execution simulation -
○ Detaches commands from the DEX file and simulates execution in a user-defined execution environment.
○ Effectively prevents malicious users from getting a dump of Java-layer code using commands.
Billing Unit: $ (US Dollar)
Alibaba Cloud Mobile Security Service is available in two versions: Basic Edition (Free Trial) and Professional Edition (Paid Version). The differences between them are as follows:
|Services||Basic Edition||Professional Edition|
|Vulnerability Scan||(a) Vulnerability type, quantity, level, and remedial recommendation||(a) Vulnerability type, quantity, level, and remedial recommendation|
(b) Detailed description of vulnerability locations
|Application Hardening||(a) Static analysis tool prevention|
(b) DEX shelling
|(a) Static analysis tool prevention|
(b) DEX shelling
(c) SO shelling
(d) Constant encryption
(e) Java execution simulation
(f) Java command translation
The Professional Edition has two pricing models:
|Services||Platforms Supported||Yearly Subscription (USD)||API Calling Maximum Traffic (times/day)|
a) Instance rental fee is based on two types of Server Load Balancer instances: public network and private network. A public Server Load Balancer includes the public IP cost, while a private Server Load Balancer is rent-free.
b) Network traffic fees are priced on a non-incremental, linear basis in Phase I. For private network Server Load Balancer instances, no fees for any network traffic will be billed.
c) Network traffic is billed by the hour and fees will be deducted in real time. If a Server Load Balancer instance is used for less than one hour within any given billing cycle, you will be billed for the price of one full hour.
d) The billed amount for any given billing cycle is calculated based on the instance rental fee for the current billing cycle added on top of the network traffic fee for the current billing cycle. Network traffic fees apply to outgoing traffic (downstream traffic). No fee is charged for incoming traffic (upstream traffic).
|Services||Platforms Supported||Pay-Per-Use (USD)||Validity Period|
|Vulnerability Scan||Android||$250||1 year|
|Application Hardening||Android||Coming soon||1 year|
(a) You can assign Mobile Security service instances to the application after buying them to get access to the Professional Edition service.
(b) This version supports vulnerability scan and application hardening services.
(c) You can access enterprise-edition service through Management Console only.
(d) The number of instances purchased is only valid for a year from the purchase date.
(e) This subscription cannot be renewed. You need to purchase again when the limit is exhausted or it expires.
Alibaba Cloud Mobile Security employs extensive vulnerability scans on android mobile applications to identify illegal practices. The service does not modify the code or application files but applies a security layer to prevent the vulnerabilities from being exploited. The also product applies various application hardening methodologies to ensure the security of the mobile applications.
To maximize the benefits of this service, it is recommended that the application be integrated with the service from the development phase.
Using Mobile Security Services through Management Console
Alibaba Cloud Management Console provides a simple web-based user interface, which allows you to access and use the Mobile Security service conveniently. You can use the Management Console to upload and test mobile applications and also buy different versions of Mobile Security service including vulnerability scan and application hardening features.
Alibaba Cloud Mobile Security Service provides security services for the entire lifecycle of mobile applications. It accurately detects applications security risks and provides appropriate security solutions. It is an easy-to-use service that enhances the security of your applications.
1. What is application hardening? How does it work?
Application hardening is a mechanism to protect the application logic. This is done by taking the normal application and generating a binary file that undergoes various levels of conversion through compression and encryption. When the program is activated or run, the file is restored so that the application can run properly despite the binary file being modified.
2. What is the purpose of application hardening?
Hardening is primarily used to stop reverse engineering of the software, to protect software copyrights and prevent cracking.
3. How much does application hardening increase the size of an application?
Hardening inserts junk code and encrypted SO files in the program, which leads to an increase in the size of the DEX file by 3 to 5 percent. For example, if the DEX file is 6MB, in addition to the current SO size of 180KB, the application size will increase by more than 300KB. This is because Alibaba Cloud’s Mobile Security Service further compresses the DEX file and performs command optimization. Different hardening methods will change the size by different degrees. The actual increase depends on the final application data. The total increase is generally around 2 to 5 percent. However, it is not uncommon for some applications to remain the same size or even shrink.
4. How long does hardening take?
Hardening time varies from application to application. For an application with a DEX file of 6MB, the process generally takes 3-4 minutes, however, compression takes more time for larger applications.
5. What does the hardening process look like?
There are two hardening methods:
1. By submitting the APK through the Alibaba Cloud Management Console, which then returns the hardened APK.
2. By submitting the APK through the app Hardening API, which then returns the hardened APK.
6. What areas of the application does hardening strengthen?
● Protection against mainstream static decompilers, such as apktool and dex2jar
● DEX file encryption, compression and command protection.
● SO shell protection
7. How does Alibaba Cloud solve the compatibility issue due to application hardening?
Due to android fragmentation problem, app hardening does have an effect on compatibility but not to the extent of having version compatibility issues. This problem can be solved in two ways:
● Proactively testing compatibility with different device models and constantly looking for potential compatibility issues.
● Promptly collecting customer feedback and making appropriate adaptations.
8. Does Taobao, Alipay, and other Alibaba Cloud applications use hardening? What hardening services do they use?
Currently, a majority of Alibaba Cloud applications use hardening. For example, Shoutao, Tmall, Qianniu, and others use hardening services to protect against mainstream static decompilers. In addition, applications with high-security requirements, such as AliHealth, 9game, and Jiaoyimao use DEX file encryption and other hardening services.
9. Does hardening modify the code? Does it insert advertisements and other plugins in the application?
Hardening neither changes the actual business logic or code nor inserts any advertisement plugins in the application.
10. After using the hardening feature, how can we perform subsequent maintenance?
You do not have to perform any special maintenance by hiring any third party tools or services. The application hardening feature is itself used as release integrity testing.
11. What are the advantages and disadvantages of application hardening?
● It protects core code and algorithms, and makes cracking, piracy, and secondary packaging more difficult
● It also reduces the risk arising from code injection, dynamic debugging, and memory injection attacks
● It has a slight effect on compatibility
● It might affect program operational efficiency
1. What is vulnerability scan engine technology?
Vulnerability scan combines static flaw scanning and dynamic fuzzing technology.
2. What is the purpose of vulnerability scanning?
Vulnerability Scanning helps developers quickly locate vulnerabilities on the code level and provides analysis of their impact and a complete list of available repair solutions.
3. How long does a vulnerability scan take?
A vulnerability scan may take 5-20 minutes depending on the size of an application's APK.
4. What does the overall vulnerability scan process and format look like?
You upload an APK file on the console and click Start Scan. When the scan ends, you can view the results of the vulnerability scan. If you purchase a Yearly Subscription, you can also perform scans through the API.
5. What areas does the vulnerability scan focus while scanning?
The vulnerability scan performs static and dynamic scans on the application. Static scan detects vulnerabilities in the Java-layer code. This includes all DEX and JAR files in the APK. Dynamic scan fuzzes the application's externally exposed components including Activity, Service Webview, and ContentProvider.
6. What advantages does the vulnerability scan function have over similar products?
● The false positive rate and false negative rate in the static flaw analysis are both better than the existing competing products.
● Mobile Security Service also identifies vulnerabilities produced by function calling formats as compared to the other competing products. It also detects command-level calling relationships and command execution sequences.
● Dynamic testing discovers many more vulnerabilities than other competing products.
● Scan times for individual applications and average scan times are both more than twice as short as competing products.
● It performs automatic shell-removing scans on hardening applications.