App security hardening refers to hardening the App as a whole and its core classes. This section guides you through the complete process of creating a hardening task.
mobile App security hardening supports the following objects:
Integrated APK/AAB: provides anti-decompilation protection, overall protection for DEX files, anti-tampering protection for DEX files, anti-whitebox attacks, anti-shell encryption algorithm protection, anti-debugging protection, anti-memory tampering protection, anti-hook protection, anti-simulator protection, anti-repackaging protection, and anti-memory dump protection for APK/AAB.
Core classes: obfuscates Java code, hides the actual running process, prevents decompilation of jadx-gui and Jeb tools, and makes the hardened code difficult for human users to read.
So File: The So file is encrypted and protected to increase the difficulty and cost of cracking the So file.
Assets: encrypts and protects assets files to meet regulatory requirements.
The hardening of the APK/AAB as a whole is required. The hardening of the core class, So file, and Assets file is optional. The APK can be hardened as needed.
Prerequisites
Before starting hardening task, you need to prepare the App to be hardened. The requirements are as follows:
The file format must be
.apkor.aab.The App must not be hardened. mobile App security hardening does not support repeated hardening of hardened installation packages.
The APK/AAB package is already signed. During the hardening process, the APK/AAB package is protected against secondary packaging. Therefore, the uploaded App package must be signed.
If you want to harden the Assets file in the App, make sure that the minSdkVersion ≥ 21, that is, the Android version is no less than 5.0.
The APK/AAB size should be ≤ 300 MB.
The first hardening after a formal order will automatically be bound to the package name used. Subsequent hardening can only use APKs with this package name, and the package name cannot be changed after binding. There is no such restriction during the trial period.
Procedure
To create a hardening task, perform the following steps:
Go to the mPaaS console and select the target App from the App list.
In the left-side navigation pane, choose Security > Mobile Security Armor > Android application security hardening.
On the page that appears, click Create Security Hardening. The Upload Application to Be Hardened page appears.
Click Upload Application to upload the installation package. During the upload, click Cancel Upload to cancel the upload. The Upload application to be hardened page returns to the initial status (that is the state when no upload operation is performed).
NoteIf the uploaded APK/AAB does not meet the requirements, the upload fails. In this case, click Re-upload. The Upload application to be hardened page returns to the initial status.
After the file is uploaded, you are redirected to the Confirm Security Hardening Information page. On this page, you can perform the following operations:
Confirm Application Information: View the App information in the Application Information column.
The name of the App.
The name of the specified App package.
The version of the App.
App Size
Confirm the hardening information: In the Hardening Information section, view the overall hardening service provided for the APK/AAB.
Shell protection
AndroidManifest file tamper protection
Signature File Protection
Anti-debugging protection
Anti-native App debugging
Anti-memory dump protection
Anti-simulator running protection
Anti-Root Device Operation Protection
Anti-memory data read protection
Protection against in-memory data modification
Hook attack protection
Protection against memory code injection
Select Shell Mode: By default, Quick Mode is selected.
Quick mode: The App in this mode starts faster than the App in the compatible mode. However, the App may crash in some Android models.
Compatibility Mode: In this mode, Apps that are shelled in the fast mode start slower than Apps that are hardened in the fast mode. However, Apps that are shelled in the fast mode have higher compatibility.
NoteWe recommend that you use Compatibility Mode to shell Apps.
Add Classes for Security Protection: Optional. Select the classes that you want to harden.
Optional. Enter a class name and click Search to search for the class. We recommend that you enter a complete class name to search. If more than 1000 class names are search results, the platform cannot display search results. In this case, you need to enter a complete class name to search again.
Click the check box corresponding to the target class to select the target class. Supports multiple choices. A maximum of 300 classes are supported.
NoteThe name of the selected class appears below the search box. Click × to deselect the corresponding class.
Select So File to Protect: Select the So file that needs to be hardened.
Enter a keyword in the name of the So file and click Search to search for the file.
Click the check box before the So files to be hardened to select one or more target So files.
ImportantWhen selecting the So file to be hardened, we recommend that you do not select a third-party So file for hardening, because it is of little significance to harden the third-party So file to improve App security and is prone to compatibility issues.
Select Assets File: Select the assets file that you want to protect.
Enter a keyword in the name of the Assets file and click Search to search for the file.
Click the check box before the assets file to be hardened to select one or more assets files.
Click Confirm to harden the App. If the Application Hardening message appears, the task is created. Click View Hardening List to go to the Application Security Hardening page. The card of the current task is added to the list. In the card, you can view the hardening progress of the task and download the APK/AAB after hardening.