2017 2nd International Conference on Artificial Intelligence and Engineering Applications (AIEA 2017)
ISBN: 978-1-60595-485-1
Design and Implementation of Mobile Data Security
Service Platform Oriented to Specific Domains
KUN LIU*, PENG SUN and KAIQI ZHAO
ABSTRACT
For some special secret-related industries, there are always high demands on the security of data transmission. This paper focuses on the study and analysis of the mobile data security service platform that is oriented to specific industries. Taking the improved security of platform data as the core, the mobile data security service mode oriented to specific domains is designed. Afterwards, based on the unified Android App store, a set of safe and oriented security data service platform is thus formed, on which the data security can be guaranteed from the aspects of authentication, data security, network transmission security, task push security, APK file packing and local security of client. In this way, it is capable to improve the security and convenience for users to use apps.
KEYWORDS
Android; Specific Domain; Mobile Data Security; APK Packing
INTRODUCTION
In some specific industries, there are more and more issues regarding the security of Android apps. Apps are easy to be attacked. The core thing that needs to be protected is the data security. For those specific industries, the data may include some sensitive information. The poor processing that is exploited by some people may result in the serious consequences. These threats include: reverse engineering, component exposure, Activity hijacking, keylogging, and session hijacking during the data transmission, which will make the user’s software data and personal privacy face the great security threat.
Presently, the study on the mobile data security can be roughly divided into four directions. The first one is the vulnerability exploiting of mobile Apps; the second one is the reverse engineering and packing of mobile Apps; the third one is the vulnerability exploiting and packing of platform; and the last one is the scanning and killing of virus and trojan. Now the virus on Android platform mainly targets at the mobile payment and the apps related to the privacy. There have been mature software at home and abroad to solve such problem.
_________________________________________
Kun Liu, [email protected], School of Information Science and Engineering, University of Jinan, Jinan 250022, PR China
The security products mainly focus on the application layer and application framework, but limited researches have been performed on Linux Kernel layer. These security products are oriented to the public. According to the above background, the mobile data security service mode that is oriented to the specific domains was proposed in this paper based on Android platform, which targets at the users who have the high demands on the security and provides the persons in the specific industries with a safe platform to achieve the unified management of self-developed apps. The concrete form of such service mode is a safe Android app store. Persons from different special industries can perform the specific and diverse security services based on the application management layer on such platform.
DESIGN OF MOBILE SECURITY APPLICATION SERVICE PLATFORM
Due to the openness of mobile terminal, especially Android platform, Apps and app data area easy to be attacked, which will cause the incalculable loss and trouble to industries that have the high demands on the security. Thus the platform design takes the security of apps as its core. In addition to some business demand functions, it also consists of the perfect permission and organizational management to design a safe and efficient platform to meet the requirements of persons in those industries as far as possible.
Design of System Framework
The client layer corresponds to the smart phone and browser. Common users log in the platform client through the smart phones to come into operation using apps in the client. All persons can log in the platform through the browser and take the operations according to their own permissions. The application layer corresponds to the server of mobile security application service platform. The administrator and controller can log in the platform through the browser to use all functions of platform. The other important role of platform is to provide the client with the access interface and return the data to the client. The data access layer and data storage layer are mainly used to provide the server with the data support. According to the above discussion, the platform adopts the hybrid architecture of B/S and C/S. The interaction between the client and platform will be performed through the specific 4G network. Afterwards, it will be connected to the server by the network operator, which can guarantee the network security during the communication. Users on Web side can log in the platform using the browser.
Design of System Security
The core of requirements analysis is to design a safe and reliable platform. Accordingly, it is of critical importance to guarantee the data security on the platform and keep the client from being attacked during the design. The security of network environment of server will be guaranteed by the third part in the process of platform deployment. This study mainly focuses on the security of local data on the client, the security of data interchange with the server, the security of network transmission, the security of devices and the security of apps. The foundation of mentioned works is the complete system of permissions and organizational management. The overall architecture from the top departments to the bottom workers is specified in this study, in which the hierarchical management is employed. Besides, the accounts and available functions are assigned by the superior.
(1) Security of Data and Network Transmission
It refers to the processing of the client’s local data and the one to be communicated with the server. AES algorithm is adopted in this study to encrypt the data. When the files of the client’s local data are obtained or the communication data is intercepted, the original text will not be perceived. AES algorithm is a relatively mature technique. This study focuses on the key processing. In the first place, let’s start with the processing when the network request is initiated, as shown in figure 2:
Start CertificationAuthority Disconnect
Process the
Data Response
End No
Pull Request
Encrypt the Data
Receipt the Request
Send Data
Add the Token Add
Timestamp Decrypt the Data
[image:3.612.99.499.547.667.2]YES
According to the above figure, when initiating the request, the keys will be merged at first. The key consists of three parts, which are extracted from the file, the unique IMEI identification of Android phone and KeyStore respectively. It is not safe to hard-code the key in the codes. When assigning the accounts to users, users will be required by IMEI identification code to bind the devices. In the meantime, IMEI code will be stored in the server. Besides, KeyStore is the solution proposed by Google, which stores the key in the signature file. Only the own UID can be used to access such file, leading to the high security. As only asymmetric keys can be stored in KeyStore, such keys are encrypted using the asymmetric ones. The related private key will be stored in the server of course. The disadvantage of such solution is that it’s unable to be compatible with versions that SDK is less than 18. In addition to the processing of private keys, the data will be added with the timestamp and then encrypted and inserted in the token. In this way, if the server receives the request of the same timestamp from the same token, it can be judged that the attack disables such token. Meanwhile, if the requested url is intercepted, it has been encrypted in the process of https communications and the involved data has also been encrypted before the request. The connection between the server and client will be paused in case of any error during the authentication.
(2) App Security
It is extremely dangerous to decompile and secondarily pack apps. The techniques of obfuscation, signature and packing to enhance the security of apps. Before apps are compiled and packed, it is essential to write the rule file of obfuscation and define the codes to be maintained. After the obfuscation, it can compress the size of codes and increase the difficulty of reading for decompiling persons. The obfuscation is just the basic method. After being compiled and getting APK file, it also needs to add the signature. Afterwards, it will be checked whether the signature is the same at the start-up. Accordingly, it can avoid the damage of secondary packing to the certain degree.In addition to above two basic steps, apps are also packed in this study to prevent the leakage of codes and enhance the difficulty of being cracked.
The rough process of packing is that the source APK file is encrypted and then merged with the unpacked Dex file. Dex file can be loaded and operated in the virtual machine of Dalvik. In the process of merging, the source Apk is written into the tail of packed Dex file. Afterwards, the file header information will also need to be changed, mainly three parameters such as the file checksum, signature and file size. Accordingly, the source APK file will be separated in the process of unpacking at last and the original packed Dex file will be replaced by the merged one.
The unpacking operation should be performed before the initialization of app. Before onCreate, the method of attachBaseContext will be executed in Application. The dex file is fetched from the packed apk file and then the above parameters are used to separate the source apk file and decrypt it. After obtaining the source dex file, namely the file to be loaded, it should be executed in the entry application of program. On such basis, it is essential to have a certain understanding of dynamic loading technique, mainly DexClassLoader of Android. Besides, we also need to know the life cycle of Application and make use of Java reflection to create the application object and configure the application information in ActivityThread correctly.
(3) Permission Management
security application service platform using the assigned account, he will enter in the interface management at first to fill in the information such as the function name and function call entry to create a new source. There may be many functions (sources) under one function group in the interface management, in which the functions can be deleted or changed. Then he will enter in the menu management to create the new menu, fill in the name and show the order. Afterwards, he should choose the related functions. The presented dialog box is the function group that has been maintained in the interface management. Similarly, the display order of menus can be deleted or changed. These menus are displayed for users who may use the platform in the future. Finally, he will enter in the role management to create the roles with the different permissions, such as the common user or administrator. After that, these roles will be assigned with the available function modules, namely the established menu group in the menu management. In the end, persons who use the platform will be assigned with their own roles using the function of associative personnel.
CONCLUSION
This study is oriented to the specific industries. Taking the mobile data security service as the background, the business demands of specific industries and the function and characteristics of existing mobile security products are discussed in this study. Considering the characteristics of Android platform and taking the security of unified management of apps in specific industries as the purpose, the technical architecture of mobile data security service platform is designed in details. Besides, an in-depth study is performed on the data and network transmission security, application security and platform authentication, which specifies the hierarchical structure and security approach of platform design. In the end, SpringMVC framework is adopted to achieve the server of mobile data security service platform and MVP pattern is used to complete the development of Android terminal. At present, such platform has been finished and put into use. The demands of specific industries on the data security can be basically met during the operation, while the transmission efficiency of data can be guaranteed.
ACKNOWLEDGMENTS
This work was supported by Shandong Provincial Key R&D Program (2016 ZDJS01A12). Corresponding author: Kun Liu.
REFERENCES
1. Xuetao Wei, Michael Wolf. A survey on HTTPS implementation by Android apps: Issues and countermeasures [J]. Applied Computing and Informatics, 2016.
2. Kefei Cheng, Tingqiang Jia, Meng Gao. Research and Implementation of Three HTTPS Attacks [J]. Journal of Networks, 2011, 6(5).
3. Priyadarshini Patil, Prashant Narayankar, Narayan D.G., Meena S.M. A Comprehensive Evaluation of Cryptographic Algorithms: DES, 3DES, AES, RSA and Blowfish [J]. Procedia Computer Science, 2016, 78.
4. Paola Y. Reyes-Delgado, Manuel Mora, Hector A. Duran-Limon, Laura C. Rodríguez-Martínez,Rory V. O'Connor, Ricardo Mendoza-Gonzalez. The Strengths and Weaknesses of Software Architecture Design in the RUP, MSF, MBASE and RUP-SOA Methodologies: A Conceptual Review [J]. Computer Standards & Interfaces, 2016.
