In the wave of digitalization, the application scenarios and application depth of mobile Internet will be further improved, and mobile applications have completely penetrated into people's work and life. With the development of mobile terminals, the security problems implied by mobile applications have gradually surfaced and have a more and more far-reaching impact on people's vital interests.
According to statistics, at least 1.5 million new types of mobile malware are added every year in the world, causing at least more than 16 million mobile malicious attacks. In recent years, the Ministry of Industry and Information Technology (MIIT) has carried out a number of comprehensive rectification actions against the long-standing illegal collection of users' personal information, illegal acquisition of terminal permissions, and incomplete privacy policies of mobile applications, and the national level protection is 2The 0 standard has also increased the mobile security expansion standard, and mobile security will become a core content section of China's network security talent training in the future.
This book is a professional book in the field of mobile security attack and defense, as an advanced sequel to the book "Android Mobile Security Attack and Defense Practice", it will show readers more deeply the technology, tactics and case analysis of real network attack and defense in the field of mobile security, and systematically show the charm of the field of mobile security attack and defense through the theoretical elaboration, system construction and practical precipitation in the book.
Ye ShaochenHe is a network security technology expert, a distinguished expert of the National Cyber Police Training Base of the Ministry of Public Security, a consultant of the Cyber Security 110 Think Tank, an executive director of the China Next Generation Cyber Security Alliance, a judge of the Red Hat Talent Engineering Review Committee, the initiator of the CTFWAR International Cyber Security Offensive and Defensive Confrontation League, the general consultant of the cyber security journal "Cyber Security Observation", and has won the Education Informatization Invention and Innovation Award jointly issued by the Ministry of Science and Technology and the Ministry of Education.
Chen Xinjie:He is a technical expert in cybercrime governance, a distinguished lecturer at the National Cyberspace Security Talent Training Base, an expert tutor at the National Cyber Police Training Base of the Ministry of Public Security, a visiting lecturer on cyber security at Guangdong University of Technology, a technical consultant at the Guangdong Provincial Cyber Security Emergency Response Center, the editor-in-chief of China's cyber security industry portal "Jiniu.com", and a cyber police technical advisor to the public security bureaus of many provinces.
Cai Guozhao:He is an expert in mobile security attack and defense technology, a senior security researcher of mobile APT attacks and black and gray industry apps, the editor-in-chief of the mobile security section of China's network security industry portal "Jiniu.com", the technical director of Huayun Xinan, and the head of Jiniu attack and defense laboratory.
The book is divided into 4 chapters with 15 chapters.
The Basics
The Basics chapter consists of Chapters 1 and 3, which aims to enable readers to grasp the basic knowledge system required for the subsequent advanced stage of mobile security attack and defense. Chapter 1 introduces the evolution of the Android system into two generations, DVM and Art. With the confrontation between Android reverse personnel and protection personnel, the battlefield of Android security attack and defense has gradually sunk from Android applications to Android systems. In order to ensure the normal operation of Android applications, many protection methods will be lifted when the application is running, so reverse personnel will take advantage of this to start from the process of running the application and break the security protection of the application. Security people also use the process of running applications to build tougher lines of defense. In the following chapters, the specific offensive and defensive methods will be introduced in detail, so the role of this chapter is to lay a foundation, and I hope that readers will establish a preliminary understanding of the operation logic of the Android system through the study of this chapter.
Chapter 2 introduces the knowledge of the native layer of Android applications, including the JNI mechanism that acts as a bridge between the Native and J**A levels, the basics of ARM assembly, and the hook method for Native functions. Compared with the J**A layer, the Native layer is closer to the bottom layer of the Android system, so the difficulty of analysis will be higher, and readers will have a clear understanding of the structure and nature of the Android system through the study of this chapter.
Chapter 3 introduces the structure of the iOS application package and the process of application startup, due to the closed nature of the iOS system, it is difficult for most reverse personnel to contact the bottom layer of the iOS system, so most of the attack and defense are still focused on the application level, and readers can better understand the iOS application through the study of this chapter.
Theory
The theoretical chapter consists of chapters 4 and 6, which are designed to help readers improve the theoretical knowledge required for the advanced attack and defense of mobile security. Chapter 4 introduces the tactical phases of the ATT&ck matrix and some of the techniques contained therein, which will be flexibly used in the actual attack and defense process, just like the art of war, the attacker will not rigidly attack according to the stages divided by the ATT&ck matrix, but will change according to the actual needs or target environment.
Chapter 5 introduces the techniques of each tactical phase in the ATT&ck for Mobile framework, and readers may notice that some techniques are repeated in multiple tactical phases, because tactics focus on describing what the attacker needs to achieve at a certain stage, and technology is the means by which the attacker achieves the goal, and as long as the goal can be achieved, the attacker can use these techniques at will, so when analyzing malware such as Trojan viruses, in addition to identifying the techniques used in them, It's also about analyzing what data attackers are collecting with these techniques and what they're trying to achieve.
Chapter 6 describes the compilation, usage, and writing of PASS programs for LLVM. LLVM splits the traditional compilation process into three parts, which not only increases the reusability of compiler modules, but also allows many developers to write passes for intermediate code and thus participate in the compilation process. The use of llvm as a native layer compiler for Android applications further demonstrates the openness of the Android system.
Actual combat
The actual combat chapter includes chapters 7 and 13, which show the confrontation and actual combat technology of mobile applications in the front line of attack and defense by analyzing the core implementation of mobile application reinforcement technology. Chapter 7 introduces the principles and implementation of the integral reinforcement technique. The emergence of overall reinforcement makes it difficult for the reverse personnel to obtain the bytecode of the android application, hinders the decompilation and analysis of the bytecode by the reverse personnel, and in order to obtain the source **, the reverse personnel need to unharden the application, and prompts the security personnel to upgrade the reinforcement technology. It can be said that the reinforcement and shelling of Android applications is an intuitive embodiment of the development of security attack and defense.
Chapter 8 introduces the principle and implementation of instruction extraction technology, which destroys the integrity of dex files in memory and refines the granularity of protection. Security personnel can specify specific j**a methods for extraction protection to balance the security and performance of the application.
Chapter 9 introduces the third generation of hardening techniques, including the DEX2C technology to convert J**A** to C**, the virtualization protection technology for assembly instructions, and the compression and reinforcement technology for SO files. In actual hardening practice, a combination of multiple hardening technologies will be used, or even a mix of three generations of hardening technologies will be used to increase the complexity of application cracking.
Chapter 10 introduces the compilation and use of OLLVM, and analyzes the process and principle of confusion in combination with the PASS source code of three types of instruction obfuscation, which readers can understand by combining the knowledge points of the ARM part of Chapter 2 and the knowledge points of LLVM in Chapter 6.
Chapter 11 introduces two different levels of VMP technology, DEX VMP borrows the instruction parsing mechanism of the Android virtual machine, while ARM VMP requires developers to have a solid assembly language foundation.
Chapter 12 introduces several reverse methods for iOS applications, basically covering the process of iOS application analysis. When the reverse person obtains the iOS application package, the application controller information is obtained through the cycript tool, the shell smashing tool is used to remove the application reinforcement, the classdump is used to extract the header file**, and finally the function definition of the header file is used to write a hook program to dynamically debug the application.
Chapter 13 describes the methods used by Frida to capture packets, which can be used in a scripted way to automate the capture of packets. For example, Mobsf's dynamic analysis function uses Frida packet capture as a part of the dynamic analysis process.
Case Studies
The case chapter includes chapters 14 and 15, through the case of mobile application malware in the real world, and uses the offensive and defensive technical and tactical capabilities of the previous chapters to conduct a case analysis of real-world offensive and defensive confrontation. Chapter 14 analyzes three types of common Android malware in real life, including remote control malicious apps, lock-locked and extortion malicious apps, and mobile phone SMS worm malicious apps, so that readers can truly feel the techniques and tactics of attack and defense confrontation in the real world.
Chapter 15 analyzes three different APT cases, and readers should be able to see that APT organizations often encapsulate malicious ** into a single module, and the application ontology often only acts as a ** device to bypass the detection of the app store. In addition, the apt app will take various measures to ensure that it remains active on the target device.
This book mainly explains the technology related to mobile security reverse analysis and attack and defense practice, which requires readers to have a certain foundation in J**A programming language and Android development, because this book contains two parts of practical content, "attack" and "defense", it has different reader positioning in the field of security attack and defense and software development.
In the field of "Security Attack and Defense", readers who are suitable for reading this book include:
Students majoring in information security in colleges and universities;
Software Security Researcher;
Software Reverse Engineer;
In the field of "software development", suitable readers for this book include:
Students majoring in information security in colleges and universities;
Students majoring in software engineering in colleges and universities;
Mobile Application Development Engineer;
As a textbook for a new form of cyberspace security, this book fully considers the "learning curve" of each technical point in content planning, so that college students can learn more pre-knowledge and the relationship between knowledge points through more content settings, and help students build a global knowledge system to help them understand technical principles more deeply, so as to better digest and memorize knowledge points.
Using this book as a blueprint for mobile security learning, there are the following learning suggestions:
First, step by step, lay a solid foundation
Mobile security involves a wide range of technologies, mainly divided by the operating system Android and iOS, in the advanced stage of attack and defense, the core attack and defense technology involves the underlying principle, which requires readers to follow the content order of the basic article and the theoretical article, step by step to understand each knowledge point, the basic knowledge and theoretical knowledge to be solid, in the later actual combat and cases can be integrated.
2. Pay attention to practice and promote learning through practice
The core of offensive and defensive techniques lies in practice, and in the actual combat chapter, it is necessary not only to follow the content of the book to understand the knowledge, but also to practice in the experimental environment, and consolidate the learning results through practice. In the accompanying resources of this book, the tools, samples and other documents involved in the actual combat chapter are provided, and readers can go to the local operation to practice.
3. Case analysis and inferences
In the case chapters of this book, different types of cases in mobile security offensive and defensive confrontations are analyzed in depth, helping readers integrate theory and actual combat in case analysis, so as to achieve the effect of drawing inferences from one case and helping readers accumulate experience in real offensive and defensive confrontations as soon as possible. In the accompanying resources of this book, sample files of each malicious program involved in the case chapter are provided, and readers can analyze and practice on their own according to the content of the book.
We would like to thank the Ministry of Public Security's National Cyber Police Training Base, Cyber Security 110 Think Tank, National Cyberspace Security Talent Training Base, China Cybercrime Governance Association (in preparation), China Next Generation Cyber Security Alliance, and Guangdong Cyber Security Emergency Response Center for their strong support for this book, and thank all experts in the industry for their professional revision suggestions and praise.
I would like to thank my wife, Ms. Zhuang Xueying, for her consistent support and silent efforts behind the scenes. I am grateful to my father and mother for nurturing me with love and hard work, and for always recognizing what I love.
Finally, I would like to dedicate this book to all the engineers who are struggling in the cause of China's cyberspace security, let us work together to contribute to the construction of China's cyberspace security!
Ye Shaochen in Shenzhen, China