比利时专利BE1023400B1 A BUILD SYSTEM

专利PDF首页>>比利时专利

专利附录

专利说明

权利要求

类似技术

同族专利

引用文献

法律状态

优先权

专利摘要:
A build system (10) is described for generating an enhanced application (130) including at least one encrypted application component (134) during a build operation. The build system (10) includes a build tool (20) and at least one build tool plugin (40). The build tool plugin (40) includes an encryption module (42) and a decryption module (46).
公开号:BE1023400B1
申请号:E2016/5992
申请日:2016-12-29
公开日:2017-03-08
发明作者:Eric Lafortune；Johan Leys；Heidi Rakels
申请人:Guardsquare Nv；
IPC主号:

专利说明:

A BUILD SYSTEM
Field of the Invention The present invention relates generally to the domain of information security. More specifically, it relates to systems and methods for protecting the resources and assets of software applications against unauthorized access. It is specifically useful in the context of software applications that are distributed for use in mobile devices.
Background of the Invention [02] The growing popularity of mobile applications that are distributed through sales platforms such as Google Play, Apple App Store, etc. that distribute software applications for use on mobile devices including a mobile operating system, such as Android or iOS, is also attracting attention of hackers. Those hackers attempt to gain access to the source code, assets, resources, etc. of the distributed software application in an attempt to distribute unauthorized rebranded variants of the distributed mobile application. Such activities take place in many cases by using free tools and can usually be performed within a few hours or less. This allows the hacker to rebrand the software application for unauthorized redistribution, for example by making small changes to the resources. Such operations include, for example, changes to the resources, such as the start icon, logo or other images of the application, the name of the application, references to URLs, etc.
[03] Java software applications offer an efficient framework for the development and deployment of business and server applications or client-side applications. During a build operation in the development phase of the software application, the Java source code is compiled into Java bytecode. In this way, for example, one or more Java class files are compiled, which are files, often with the extension .class, which include Java bytecode and which can be executed on the Java Virtual Machine or JVM. Such a Java class file is produced by a Java compiler based on source files in the Java programming language, which are files, often with a .java extension, including the programming instructions of the source code for Java classes. If a Java source file contains more than one Java class, each Java class is typically compiled into a separate Java class file containing its bytecode. After compilation, the build operation continues by bundling these Java class files into a software package for distribution, along with related metadata and application resources, for example, an image file including an application icon. Inexpensive, widespread applications are available that allow, for example, to inspect these software packages, allow changes to application resources and automatically decompile the Java class files into near-original source code. Hackers can then efficiently apply changes to implement hacks or create fakes for redistribution as an unauthorized or compromised version of the original application, leading, for example, to a security risk and unauthorized copying of the application. Such Java applications are also used in the context of mobile software applications, for example mobile software applications suitable for the Android operating system. In such a context, the Java source code of the mobile application is compiled, for example, into Dalvik bytecode and stored in .dex or Dalvik Executable files and / or .odex or Optimized Dalvik EXecutable files. This Dalvik bytecode can then, for example, be executed by a Dalvik Virtual Machine, or possibly further compiled into native code on the mobile device by the Android Runtime or ART. During the build operation, the application code, in the form of the Dalvik bytecode, for example in the form of one or more .dex files, is packaged together with further application items, for example resources, assets, certificates, a manifest file, etc. in an Android application package or MOT for further distribution. In a similar way as explained above, tools are available to inspect the content of such software packages, to decompile their bytecode and to enable the efficient modification of application items, for example application icons, logos, etc., leading to security risks and unauthorized copying of the application.
[04] To provide compatibility with different configurations, resources of such Android applications, such as images, video files, audio files, and strings of the application's source code, are tracked and grouped independently of the source code by type and configuration. Standard resources are resources that are used regardless of the device configuration, and alternative resources are resources that are designed for use in a specific configuration. It goes without saying that such externalized resources are susceptible to changes by a hacker. Such a hacker can efficiently create an unauthorized rebranded copy of such an application by merely changing or replacing the resources such as the image for the related icon, images with company logos, and other related resources used to display the application on it. mobile device. In addition, the hacker could efficiently change the decompiled source code to, for example, change references to the web server of the original application developer to new references to another web server managed by the hacker.
[05] ProGuard, available at http://proguard.sourceforge.net/, is a known software application for use during a build operation that obscures the Java source code by, for example, renaming classes, fields and methods using short, meaningless names. An alternative, known software application for use during the build operation is DexGuard, available at http://www.guardsquare.com/dexguard. DexGuard focuses on the security of mobile software applications, with additional functions such as resource obscuring, string encryption, class encryption and splitting executable application files. DexGuard focuses primarily on Android applications and creates Dalvik bytecode directly during the build operation on Android, compiling Android programs into .dex or Dalvik Executable files which in turn are packaged in a single software package or .apk- file. Such source code or resource obfuscation makes it more difficult for a hacker to analyze the software code or efficiently identify standard resources, such as the application icon image. Such known Java obfuscators use, during the build operation, the renaming of classes, fields, method, etc. to make reverse engineering of the decompiled source code more difficult.
[06] In addition, more sophisticated applications such as DexGuard also provide for the renaming of application resource identifiers, such as the file name of the application resource, and associated obsessed references in the associated source code. This makes it more difficult to efficiently rebrand such a software application by interacting with the application resources. To make it even more difficult for hackers to disrupt the source code of the application and / or application resources, encryption can be used. However, such encryption often relies on a standard encryption algorithm provided by applications such as DexGuard during the build operation and requires the use and distribution of standard security keys along with the packaged application to allow subsequent decryption when the software package is run on the mobile device. This creates the risk that hackers can scan for detectable encryption signatures and / or security keys with which they can develop an application dedicated to decryption to decrypt all software applications that were obfuscated and encrypted with a specific obfuscation tool such as DexGuard.
[07] Therefore, there is still a need for an improved build system that can be more resistant to hacking application items including application code and / or further application items, e.g., resources comprising data representative of text, images. , audio, etc. from a distributed software package.
It is therefore an object of the present invention to describe a system and method that overcomes the above identified shortcomings from the prior art. More specifically, it is an objective to describe a system and method that, in an efficient, simple and flexible manner, improves the resistance to unauthorized access to and modification of a distributed software package, especially with regard to application code and resources of mobile applications.
Summary [09] According to a first aspect of the invention, a build system is provided to generate an improved application, comprising at least one encrypted application component during a build operation, said build system comprising: - a build tool that is configured for receiving an application comprising application code and at least one application component; and - at least one build-tool plugin, coupled to said build-tool during a build operation, the build-tool plugin comprising an encryption module and an associated decryption module, - the build-tool that is configured to run a generate improved application comprising at least one at least partially encrypted application component and improved application code: - the at least one at least partially encrypted application component being generated by the encryption module based on the at least one application component, and - the improved application code being generated by the build-tool based on the application code by respectively adding the associated decryption module as an associated added decryption module so that, during execution, when accessed by the improved application code, the associated at least partially encrypted application component is automatically decrypted by the associated added decryption module.
[10] In this way, the build-tool plugin provides additional flexibility by providing modules dedicated to encryption and decryption that implement algorithms dedicated to encryption and decryption. This provides the flexibility to deviate from built-in algorithms of standard build tools to reduce the chance that a standard tool for decrypting the improved application code is available to a hacker. In addition, by only adding the decryption module to the improved application code of the improved application for further distribution, there is no easy reference or pointer to the used encryption algorithm of the encryption module available to a hacker. In this way the resistance is increased against unauthorized access to and modification of the improved application, for example when distributed as a software package.
[11] According to an embodiment, a build system is provided, characterized in that the at least one application component comprises one or more of the following: - data; - a reference to data; - software code, which, during execution, is accessed by the improved application code.
[12] In this way, security-sensitive application components, such as security-sensitive data files, configuration files including references to security-sensitive data, security-sensitive software code, etc., can be encrypted without the need to disclose the encryption module used encryption algorithm and without the need for a reference to the used encryption module. add encryption algorithm to the at least partially encrypted application component to enable decryption. The added decryption module that is added to the improved application code during the build operation is sufficient to enable decryption during the execution of the application. It is clear on the basis of the advantageous embodiments mentioned below that the decryption module is preferably added to the improved application code in an obfuscated manner. This means that the risk of detectable patterns in the improved application code is also reduced in a way that could cause a hacker to detect a decryption module.
[13] According to a further embodiment, a build system is provided, characterized in that the at least one application component comprises one or more of the following: - data comprising or being representative of one or more of the following: - text data, string data , image data, audio data, video data, animation data, layout data, style data, color data, menu data, configuration data, metadata, tokens; - an application resource; - an application asset; - a reference to data comprising one or more of the following: - an identifier; - a name; - a numeric identifier; - an application resource identifier; - an application asset identifier; - software code comprising one or more of the following: - a part of the application code; - further application code, separate from the application code; - further application code in a programming language that differs from the application code; - native code; - bytecode; - source code.
[14] In this way, the options for a hacker are restricted to rebrand a distributed application or to efficiently change, for example, security critical components of the distributed application. These application components are, for example, data files such as application resources, etc. The application components may alternatively also comprise critical components of data files, for example, the header of an image file comprising the coding protocol used, etc. According to still further alternative embodiments, the application components may include references to sensitive data, for example names or identifiers of files, resources, variables, etc. contained in configuration files or application code, etc. According to still further alternatives, the application component may be, for example, a security-sensitive software library, a dedicated driver provided with native code, etc. Each of these application components can advantageously be encrypted or partially encrypted without the need to reveal the encryption module during distribution of the enhanced application, since decryption can be guaranteed the decryption module that has been added to the improved application.
According to a further embodiment, a build system is provided, characterized in that the build tool is configured to: - receive the application as an input software package comprising the application code and the at least one application component; and - generating the improved application as an output software package comprising the improved application code and the at least one at least partially encrypted application component.
[16] In this way, the build tool can easily be integrated into or in the operational chain of existing automated build tools that receive and generate software packages comprising various application components, such as application code, application resources, etc.
[17] According to a further embodiment, a build system is provided, characterized in that the improved application does not comprise an encryption module and / or a reference to the encryption module.
[18] In this way, hackers are made even more difficult to detect a pointer to the encryption algorithms used by the encryption module during the build operation.
[19] According to a further embodiment, a build system is provided, characterized in that the build tool is configured to generate the added decryption module as one or more of the following: - a copy of the decryption module; - a converted version of the decryption module; - a compiled version of the decryption module; - an obsessed version of the decryption module.
[20] It is thus clear that the build tool according to a particularly simple embodiment, for example where both the decryption module and the application code are provided with bytecode, can generate the improved application code simply by copying the bytecode from the decryption module on the correct add location to the application code bytecode. It is further also clear that the decryption module and the application code can for instance be provided with different types of source code, for example each comprising source code in a different programming language, the decryption module comprising native code and the application program comprising bytecode, the decryption module and the application program being a different type of bytecode, etc. In that case, the build system will generate the added decryption module by providing a suitably converted version of the decryption module, which allows an efficient addition to the application code to generate the improved application code. It is further also clear that, for example, if the decryption module is provided with source code, the build tool could add a compiled version to the improved application code, for example a version of the decryption module compiled to bytecode. This improved application code can in such a case also be, for example, a compiled version to bytecode of the source code of the application code. It is clear that in such a case the source code of the application code and the decryption module do not necessarily have to be written in the same programming language. It is clear that, instead of merely adding an exact copy of the decryption module in its entirety to the application code, an obfuscated version of the decryption module is added, for example by changing variable names, etc. of the decryption module, by distribute different parts of the decryption module over different locations in the improved application code and / or by any other available suitable obfuscation technique that reduces the detectability of patterns with respect to the decryption module.
[21] According to a further embodiment, a build system is provided, characterized in that the build tool is further configured to, during the build operation, add the decryption module to the improved application as an added decryption module comprising two or more separate decryption module components at different locations in the improved application code.
[22] This advantageous and simple obfuscation technique, applied to the decryption module, further reduces the risk of detectable patterns in the decryption modules in the distributed improved application and thus increases the resistance to hackers.
[23] According to a further embodiment, a build system is provided, characterized in that the build system comprises two or more build tool plugins, the build tool being configured to use at different times during the build operation another build-tool plugin.
[24] The use of multiple build-tool plugins and an associated multiple of encryption and associated decryption modules further increases the specific variety of the type of encryption used, thereby further reducing the chance that a hacker will be able to decrypt the improved application. using standard tools. In addition, this is accomplished in a flexible and efficient manner by the build tool during the build operation by adding the corresponding multiple number of decryption modules to the improved application code, without providing any hacker with any specific encryption algorithm during the build operation was used. Moreover, this approach allows such a variation in the use of encryption to be used during the build operation without having to follow which specific encryption module was used in the improved application and when. During the execution of the improved application, the associated decryption modules that were added by the build tool during the build operation at the relevant locations in the improved application code are sufficient to allow automatic decryption of the encrypted application components when accessed during execution.
[25] According to a further embodiment, a build system is provided, characterized in that the build tool is configured to generate different variations of the added decryption module for a decryption module of a build-tool plugin at different times during the build operation .
[26] In this way, the added decryption module in the improved application is further obscured by the build tool during the build operation without increasing the complexity during execution.
[27] According to a further embodiment, a build system is provided, characterized in that: - the encryption module comprises two or more encryption algorithms and the decryption module comprises two or more associated decryption algorithms, and that - at different times during the build operation, the build system is further configured to: - encrypt application components through various encryption algorithms; and - adding various associated added decryption algorithms to the improved application code generated from the various associated decryption algorithms.
[28] The use of multiple encryption algorithms further increases the specific variety of the type of encryption used and further reduces the chance that a hacker will be able to decrypt using standard tools. In addition, this is accomplished in a flexible and efficient manner by adding the associated multiple number of decryption algorithms to the improved application code, without having to provide a hacker with any indication as to which specific encryption algorithm was used during the build operation. It is clear that this higher level of obfuscation of the added decryption module is achieved by the build system during the build operation, without increasing the complexity of the improved application during execution. Preferably, the build-tool plugin is configured to, at different times during the build operation, use its encryption module to encrypt application components using different encryption algorithms. It is clear that in this way the build tool does not need to know if the build tool plugin includes different encryption algorithms, since the encryption module of the build tool plugin will preferably automatically determine which of the encryption algorithms should be used when the build tool tool provides a sensitive application component during the build operation. The build tool is preferably configured to add the decryption module of the build tool plugin to the improved application code as an added decryption module comprising various associated added decryption algorithms. It is clear that the added decryption module is added to the improved application code in such a way that the added decryption module automatically selects the associated added decryption algorithm when the improved application code approaches an encrypted application component during execution of the improved application.
[29] According to a further embodiment, a build system is provided, characterized in that the build system is further configured to encrypt the application components by means of the different build tool plugins and / or different encryption algorithms, according to one or more of the following: - random; - depending on the data size of the application component; - depending on the data type of the application component; - depending on one or more properties of the application component.
[30] In this way it is made even more difficult for a hacker since, for example, the random use of different algorithms reduces the chance of detectable patterns. Moreover, this is accomplished without any additional complexity for the distributed application since supplying the correlation between the randomly distributed decryption algorithms and the encrypted applications is provided during the build operation and does not lead to excessive complexity during application execution.
[31] Furthermore, performance optimizations can be realized during the build operation and / or during the execution of the improved application code. Application components comprising a data size that is smaller than a predetermined threshold can, for example, be processed by means of safer, but also resource-intensive encryption and / or decryption modules. Application components comprising a data size that is larger than this threshold can then, for example, be processed by means of less secure, but more resource-efficient encryption and / or decryption modules. According to still further embodiments, for example, an application component comprising image data can be processed by means of a different encryption and associated decryption module than an application component comprising text data. Since image data, unlike text data, includes special features such as a high degree of redundancy and a high degree of correlation between data from different pixels, the use of encryption modules optimized for processing such image data can result in efficiency gains during build-up. time and the addition of associated decryption modules to the improved application during the build operation can result in an increased calculation efficiency during the execution of the improved application. According to still further embodiments, in general, the use of different build-tool plugins and / or different encryption algorithms can be a function of one or more properties of the application component, for example security properties, file attributes, version properties, metadata, etc.
[32] According to a further embodiment, a build system is provided characterized in that the build tool plugin further comprises a security key generator configured to generate encryption keys for use by the encryption module during the build operation and associated decryption keys for use by the added decryption module during execution, and wherein the build tool is further configured to generate the improved application during the build operation by adding the decryption keys as added decryption keys, so that during execution, when accessed by the improved application code, the associated at least partially encrypted application component is automatically decrypted by the associated added decryption module using the associated added decryption keys.
[33] The use of security keys in the build-tool plugin further increases the flexibility to provide a dedicated form of encryption that deviates from the standard approach and security keys of ready-to-use build-tools, thus reducing the resistance of the Distributed application items against hackers even further. It is clear that in addition to the increased diversity in security keys used, which contributes to a higher resistance to falsification of the improved application when distributed, the resistance can be further increased by, for example, further layers of encryption or obfuscation of the added decryption keys in the improved application code by the build tool during the build operation.
[34] According to a further embodiment, a build system is provided, characterized in that the key generator is further configured to automatically generate different encryption and associated decryption keys during the build operation: - random; - depending on the data size of the application component; - depending on the data type of the application component; - depending on one or more properties of the application component; - for each application component; - for each predetermined group of application components; and / or - for each encryption module and associated decryption module, the build tool being configured to generate the enhanced application such that, during execution, the various added decryption keys are accessed by the associated added decryption module when the associated at least partially encrypted application component becomes automatic decrypted.
[35] In this way, the repeated use of identical security keys in the improved application code is minimized and the chance of detectable patterns for a hacker is further reduced. Still further security and performance optimizations can be obtained by choosing a security type that is well suited to efficiently collaborate with an optimal type of encryption module and / or associated decryption module for a specific type of data. Moreover, for example for application components with a data size that is smaller than a predetermined threshold, a larger encryption and associated decryption key can be chosen than for application components with a data size that is larger than the threshold. This ensures, for example, a high security level for relatively small text strings comprising less than 10 kB of data, while the calculation efficiency is guaranteed when encrypting and decrypting, for example, larger image or video files comprising different MBs or GBs of data. According to still further embodiments, the use of different security keys can be a function of one or more other properties of the application component, for example security properties, file attributes, version properties, metadata, etc.
[36] According to a further embodiment, a build system is provided, characterized in that the build tool is further configured to add the decryption key to the improved application as an added decryption key comprising two or more separate decryption key components during abdominal surgery at different locations in the improved application.
[37] In this way, the chance of detectable patterns for a hacker looking for pointers for the added decryption keys in the improved application code is further reduced. By adding the decryption key components and the decryption module during the build operation by means of the build tool in such a way that during a subsequent execution of the improved application, when an encrypted application component is accessed, the associated decryption module is triggered to use making the associated decryption key parts, this level of variation and obfuscation at the level of the security keys can be realized during the build operation without the need to subsequently monitor the different key parts and associated used encryption modules.
[38] According to a further embodiment, a build system is provided, characterized in that the build tool is further configured to, during the build operation, add the decryption key to the improved application as an added decryption key that is at least partially is interwoven with another added decryption key and / or an added at least partially secure application component.
[39] In this way the chance of detectable patterns for a hacker looking for pointers for the decryption keys added to the improved application code is further reduced.
According to a further embodiment, a build system is provided, characterized in that the build system is further configured to receive an application of which: the application code comprises at least one of the application components; and / or - the application comprises at least one application component on top of the application code.
It is clear that this means that such an application component can for instance be a sensitive part of the application code, for example a part of a file comprising application code. The application component may, for example, comprise a sensitive variable and / or its associated value, a reference in the application code to a sensitive application resource, such as a name, file name or any other suitable identifier of a configuration file or an application resource including an image for the application icon or logo, etc. It is also clear that the application code can be provided as a set of files, for example files comprising a main part of the application code as source code and other files, for example including dedicated drivers provided with native code or application modules that are provided with bytecode. In such a case, the application component can be, for example, a sensitive file from this collection of files, for example a file comprising a sensitive part of the application code or comprising native driver code from which independent distribution must be avoided, etc.
[42] It is clear that, alternatively, the application component may be a part of the application that differs from the application code itself. The application component may be, for example, a sensitive software library, a data file comprising image data for the logo or icon of the application, a configuration file including configuration information, a security sensitive file including security keys, tokens, etc.
[43] According to a further embodiment, a build system is provided, characterized in that the build system is further configured to generate an improved application of which: the improved application code comprises at least one of the at least partially encrypted application components.
[44] It is clear that in this way, for example, the improved application code can comprise an encrypted application component, for example an encrypted name, identifier, text string, a sensitive definition of a variable, method or class, etc.
[45] According to a further embodiment, a build system is provided, characterized in that the build system is further configured to generate an improved application of which: - the improved application comprises at least one at least partially encrypted application component in addition to the improved application code .
[46] It is clear that in this way, for example, the at least partially encrypted component can be, for example, an at least partially encrypted software library, configuration file, image file, etc.
[47] According to a further embodiment, a build system is provided, characterized in that the build system is further configured to generate an improved application of which: - the improved application comprises at least one at least partially encrypted application component that is partially contained in the improved application code and partially added to the improved application in addition to the improved application code.
[48] It is clear that for security keys or other sensitive data, for example, a first part can be added to the improved application code, for example together with the associated decryption module, and a second part can be added to another file of the improved application, for example. for example a data file, configuration file, image file, a file comprising a software code other than the application code, etc.
[49] According to a further embodiment, a build system is provided, characterized in that the build system is further configured to generate an improved application of which: - the improved application comprises at least two at least partially encrypted application components intertwined with each other to be.
[50] In this way, encrypted application components are further obfuscated and it becomes even more difficult to subsequently decrypt these parts of the improved application.
According to a further embodiment, a build system is provided, characterized in that the build system is further configured to add the respective associated decryption module in the form of bytecode to the improved application code. The use of bytecode by the build tool to add the decryption module to the improved application bytecode is preferred as this simplifies adding the decryption module in the desired automated way and at the correct location in the code of the improved application . However, it is clear that alternative embodiments are possible, using source code, binary code, native code or any other suitable collection of computer instructions.
[52] According to a second aspect of the invention, a computer-implemented method is provided for operating a build system according to the first aspect of the invention, the method comprising the following steps: - the build tool receives the application comprising application code and the at least one application component; - the build tool generates, during the build operation, an improved application comprising at least one at least partially encrypted application component and improved application code: - wherein the encryption module generates the at least one at least partially encrypted application component based on the at least one application component, and - the build tool generates the improved application code based on the application code by respectively adding the associated decryption module as an associated added decryption module such that, during execution, when accessed by the improved application code, the associated at least partially encrypted application component is automatically decrypted by the corresponding added decryption module.
[53] According to an embodiment, a computer-implemented method is provided, the method comprising the steps of performing the method of iteratively operating the build system so that the application received by the build system to receive a perform subsequent iteration of the method to operate the build system at least includes the improved application generated by the build system during a previous iteration of the method to operate the build system.
[54] In this way, multiple independent security layers can be realized during the build operation, without imposing additional requirements on the distribution and execution of the improved application since the required decryption modules are available in the improved application itself at the time that automated Decryption is needed while running the improved application.
[55] According to a further embodiment, a computer-implemented method is provided, characterized in that the method comprises the following steps: - selecting, as application components for the next iteration, at least one added decryption module and / or one added decryption key of the improved application that was generated during the previous iteration; and - generating at least partially encrypted application components based on these selected application components during the next iteration.
[56] By treating decryption modules and / or decryption keys added to an improved application as sensitive application components during a subsequent iteration, a multi-layered security level is achieved during the build operation, which can be automatically and efficiently solved during execution of the improved application after subsequent distribution without the need for external resources.
According to a third aspect of the invention, a computer program is provided comprising software code adapted to implement the computer-implemented method according to the second aspect of the invention when executed by a computer system.
According to a fourth aspect of the invention, there is provided a computer-readable storage medium comprising computer-executable instructions which, when executed by a computer system, perform the computer-implemented method according to the second aspect of the invention.
BRIEF DESCRIPTION OF THE DRAWINGS Figure 1 is a schematic representation of an embodiment of the build system; Figures 2 to 9 are schematic representations of alternative embodiments of the build system, similar to the embodiment of Figure 1; Figure 10 is a schematic representation of an embodiment of a computer-implemented method of operating a build system of Figure 1 during a build operation; Figure 11 is a schematic representation of an embodiment of a method for performing an improved application generated with the build operation of Figure 10; and [63] Figure 12 is a schematic representation of an embodiment of a computer system for performing the computer-implemented method of Figure 10.
Detailed Description of the Embodiment (s) [64] Figure 1 is a schematic representation of an embodiment of a build system 10. Such a build system 10, being a software tool or a set of software tools, is used during a software development process. Such a software development process involves, for example, core activities such as designing, assembling, testing, debugging, rolling out, maintaining, etc., which results in the creation of further development of software applications or computer programs. Such a build system 10 typically comprises one or more software tools that are used to build a software application during a build operation. During such a build operation, a software application is typically produced in the form of a software package suitable for further distribution. It is clear that the software development phase of which the build operation is part differs in this way from the execution of the software application. When the software application is executed or operated, it means that a suitable computer system executes the instructions of the software application. This typically means that the distributed software application includes machine code instructions or binary code for a central processing unit or CPU of the computer system; or alternatively more portable instructions such as bytecode, for a software interpreter available on the computer system.
[65] During a build operation, a build tool will typically perform or coordinate a multiple number of different operations to provide the required components for a distributable software application, for example, one or more of the following: generate or change source code; compile source code; compile test source code; performing tests; packaging of compiled source code, metadata, libraries and resources, such as text, images, sound, etc. in a software package suitable for distribution, etc. It is clear that in addition to compiling the source code of the application into bytecode or binary code other operations are performed during the build operation. Some of these operations may have to do with modifying at least a portion of the application's source code before a compilation operation and / or some of these operations may include modifying at least a portion of the bytecode or binary code from the application after compiling. Generally, source code, bytecode, binary code, or any other suitable collection of computer instructions from the software application is referred to as application code. It is also clear that in addition to application code, the application may also include, as explained above, other data items, such as application resources or application assets, etc., which include, for example, text data, image data, audio data, video data, animation data, layout data, style data, color data, menu data, configuration data, metadata, etc.
[66] As shown in Figure 1, the build system 10 according to this embodiment comprises a build tool 20. The build system 10 further includes a build tool plugin 40 coupled to the build tool 20. Examples of such build system 10 are Android Studio, Eclipse, Gradle, Ant, Maven, etc. According to the embodiment shown, build tool 20 may be similar to known build tools such as ProGuard, DexGuard, which can be used in build system 10 integrated or can be implemented as a standalone application part of the build operation. The build tool plugin 40 is a software component that provides customizable encryption functionality to an existing build tool 20. However, it is clear that still further alternative embodiments are possible, provided that the build system 10 is generally a build tool 20 and a coupled build tool plugin 40 includes functionality to at least partially encrypt at least one application component 34 of an application 30 received by the build tool 20 during a build operation.
[67] According to the embodiment shown in Figure 1, the build tool 20 receives an application 30. According to this embodiment, the application 30 is received, for example, as an input software package. The embodiment of the application 30 comprises application code 32, an application component 34 and a further application component 36. The application code 32 may comprise, for example, one or more files or any other suitable objects, each comprising at least a part of the application code 32 in the form of source code or byte code. According to a specific embodiment, the application component 34 can be, for example, a file or any other suitable object, comprising data, for example text data, image data, audio data, configuration data, etc., often referred to as an application resource or application asset. According to a specific embodiment, the application component 34 may comprise, for example, image data for a logo used in the user interface of the application during execution. As will be described in more detail below, it is clear that alternative embodiments of such an application component 34 are possible, provided that the application 30 received by the build system 10 generally comprises application code 32 and at least one application component 34. on top of the application code 32, similar to what is shown in Figure 1; and alternatively or in combination, this application 30 includes application code 32 comprising at least one of the application components 34. Generally, as will be described in more detail below, such an application component 34 may be referred to as a sensitive application component 34, meaning that it is an application component 34 of the application 30 that is received by the build system 10 for which it is desired that access to it is preferably restricted after distribution, for example if incorporated into a distributed software package that is generated during the build operation. According to the embodiment shown in Figure 1, the further application component 36 may be, for example, a file or any other suitable object comprising, for example, an application library. According to this embodiment, this further application component 36 differs from the sensitive application component 34 in that it is not a sensitive application component for which access after distribution must be limited. As further shown, according to the embodiment of Figure 1, during a build operation, the build tool 20 generates an improved application 130 comprising an encrypted application component 134, improved application code 132, and a non-encrypted further application component 36. The improved application 130 may, for example, are generated by the build tool 20 as a suitable output software package which, according to this embodiment, comprises the encrypted application component 134, improved application code 132, and a non-encrypted further application component 36.
[68] According to an exemplary embodiment, the application 30 may, for example, be designed as one or more directories comprising the relevant files for the respective application code and application components of the application. According to an alternative embodiment, the application 30 can be provided, for example, as a JAR or Java Archive package file that is typically used to aggregate application code, for example comprising application code 32 in the form of Java class files, with one or more sensitive application components 34, for example files comprising associated metadata and resources such as text, images, etc. or alternatively a specific item or part of the application code and / or files comprising further application code, and optionally further non-sensitive application components 36, for example data, code, or libraries that do not must be encrypted. It is clear that still further alternative embodiments for such an application and / or an associated input software package are possible, for example an Android application package or APK, a zip file or any other suitable archive file comprising one or more files or directories that can be compressed are, a WAR or web application archive, an AAR or a binary distribution package or an Android Library Project, Enterprise Archive or EAR, etc. In a similar way, exemplary embodiments as described above with reference to the application 30 and an associated input software package are also possible for the improved application 130 and an associated output software package. It is clear that the input software package of the application 30 and the output software package of the improved application 130 need not necessarily be implemented as the same type of software package. For example, the input software package of the application 30 received by the build tool 20 may be a JAR file, while the output software package of the improved application 130 generated by the build tool 20 may be an APK file, for example. to be.
[69] As further shown in Figure 1, the build tool plugin 40 comprises an encryption module 42 and a decryption module 46. During a build operation, the build tool plugin 40 is coupled to the build tool 20. During such a build operation the build tool 20 generates an improved application 130. As already mentioned above, according to the illustrated embodiment, this improved application 130 comprises the encrypted application component 134, the improved application code 132 and the further, non-encrypted, non-sensitive application component 36. As described in more detail below, it is clear that alternative embodiments of the improved application 130 are possible, provided that they generally comprise at least one at least partially encrypted application component 134 and improved application code 132. According to the embodiment shown in Figure 1, the encryption module 42 is, for example, a programming module comprising an encryption algorithm and the decryption module 46 is, for example, a programming module comprising an associated decryption algorithm. The encryption algorithm and associated decryption algorithm may, for example, be any suitable encryption algorithm and associated decryption algorithm, such as an AES or Advances Encryption Standard encryption and associated decryption algorithm using a specific security key. However, it is clear that any other suitable encryption and associated decryption algorithm can be selected for use in the encryption module and the decryption module, respectively. The use of the build-tool plugin 40 allows flexibility in the choice of a specific encryption and associated decryption module. For example, even when using a standard build tool 20, an application developer, by using the build tool plugin, is not limited to a specific set of encryption and decryption algorithms provided by this standard build tool 20 are provided. Instead, the build-tool plugin 40, through the encryption module and decryption module, enables the application developer to use a specific selection of encryption and associated decryption algorithms, or even dedicated encryption and associated decryption algorithms. Even when the algorithms provided by the encryption method and decryption module are simpler and more efficient than the standard algorithms typically distributed with such standard build tools 20, a higher level of security for encrypted application components 134 can still be guaranteed.
Since such a more flexible and / or dedicated build-tool plugin 40 comprising such an encryption and decryption module provides an encryption method that allows more variation and is less common than standard encryption methods provided by standard build tools 20, the probability is smaller that a corresponding decryption tool will be available for a hacker.
As shown schematically in Figure 1, according to this embodiment, the encryption module 42 of the build-tool plugin 40 generates the encrypted application component 134. For example, the encrypted application component 134 is generated by executing the encryption module and applying the encryption algorithm to the application component 34 during the build operation. According to the illustrated embodiment, the application component 34 is fully encrypted when the encrypted application component 134 is generated, but according to alternative embodiments, the application component 34 is only partially encrypted to generate a partially encrypted application component 134. Thus, in general, the encryption module 42 generates at least one at least partially encrypted application component based on at least one application component 34 of the application 30.
[71] As further shown, according to the embodiment of Figure 1, the decryption module 46 of the build-tool plugin 40 is added to the application code 32 so as to generate an improved application code 132 during the build operation. This improved application code 132 is generated by the build tool 20 during the build operation. As shown, if during the build operation the improved application code 132 is generated, the build tool 20 adds the decryption module 46 to the improved application code 132 as an associated added decryption module 146. In this way, the improved application code 132 including the added decryption module becomes 146 generated by the build tool 20 for the improved application 130. When this improved application code 132 is executed at times when the improved application code 132 approaches the encrypted application component 134, the added decryption module 146 present in the improved application code 132 will be called to automatically decrypt the encrypted application component 134. Thus, it is clear that in this way the encrypted application component 134 of the improved application 130 can be automatically decrypted at run time of the improved application 130 by means of this added decryption module 146. It is furthermore clear that this automatic decryption at run time of the improved application 130 can occur without requiring knowledge of or a reference to the encryption algorithm used by the encryption module 42 in the improved application code 132 or any of the application components of the improved application 130.
The automatic decryption of the encrypted sensitive application component 134 when it is accessed by the enhanced application code 132 during execution is made possible by the associated added decryption module 146 that was added to the improved application code 132. In this way, the improved application code 132 of the improved application 130 during execution is capable of accessing a decrypted version of the encrypted application component 134, and, for example, is able to access the data according to this embodiment, e.g. display in the user interface of the application at runtime. It is clear that further alternative embodiments are possible, especially as already mentioned above when the encryption module 42 of the build tool plugin generates at least one at least partially encrypted application component to be contained in the improved application by the build tool. In general, the improved application code 132 is generated by the build tool 20 on the basis of the application code by respectively adding the associated decryption module 46 as an associated added decryption module 146. This is done such that during execution of the improved application, when a at least partially encrypted application component 134 is accessed by the improved application code 132, the at least partially encrypted application component 134 is automatically decrypted by the associated added decryption module 146.
[73] As further illustrated, according to the embodiment of Figure 1, the build tool 20 also adds a non-encrypted, non-sensitive further application component 36 to the improved application 130. This non-encrypted, non-sensitive further application component may for example, be a non-encrypted version of the non-sensitive further application component 36 of the application 30 received by the build tool 20. During the build operation, the build tool 20 can leave this non-sensitive, further application component 36 unchanged or alternatively subject these non-sensitive, further application component 36 to one or more operations, for example compilation, testing, etc., provided that the non-sensitive further application component 36 is not subjected to an encryption operation by the build-tool plugin 40 .
Fig. 2 shows an alternative embodiment of the build system 10 similar to the embodiment described with reference to Fig. 1. Similar elements were provided with similar references and function generally as described above with reference to Fig. 1. The main difference, as shown, relates to the operation of the build tool 20 when the decryption module 46 of the build tool plugin 40 is added as an added decryption module 146 to the improved application code 132 of the improved application 130 during the build -operation. As shown in the embodiment of Figure 2, here the added decryption module 146 is added in an obfuscated manner to the improved application code 132 by the build tool 20 during the build operation by means of two separate decryption module parts 147.1 and 147.2 at different locations in the improved application code 132. Especially in such an embodiment, it is preferable that the build system 10 generates an added decryption module 146 in the form of bytecode for addition to the improved application code, which is preferably also arranged in the form of bytecode. This simplifies the insertion of the decryption module 146 into the improved application code 132 during the build operation and also simplifies obfuscation by, for example, splitting the added decryption module 146 into two or more decryption module parts 147.1, 147.2 which must be in different locations in the improved application code 132 be inserted. It is clear that alternative embodiments are possible, wherein instead of bytecode use is made, for example, of source code or binary code for the added decryption module 146 and / or the improved application code 132 in which the added decryption module 146 is inserted. However, automatic insertion of the decryption module at a correct location in the improved application code 132 and / or correctly splitting the added decryption module 146 into two or more decryption module parts 147.1, 147.2 is then often more complex. It is further also clear that alternative embodiments are possible, especially with regard to the number of decryption module parts 147.1, 147.2 in which the added decryption module 146 is split. As long as the added decryption module 146 is generally split into two or more associated decryption module parts 147.1, 147.2 which are added to the improved application code 132 at different locations.
Figure 3 depicts yet a further alternative embodiment similar to the embodiment of the build system 10 of Figure 1. Similar elements were provided with similar references and function generally as described above with reference to Figure 1. The The most important differences are that the embodiment of the build system 10 comprises two build-tool plugins 40.1, 40.2 and that the build-tool 20 receives an application 30 which comprises two sensitive application components 34.1, 34.2. As shown, according to this embodiment, sensitive application component 34.1 is encrypted by means of the encryption module 42.1 of the build tool plugin 40.1 during the build operation. As further shown, the further sensitive application component 34.2 is encrypted during the build operation by means of the different encryption module 42.2 of the different build-tool plugin 40.2. According to the embodiment shown in Figure 3, the different sensitive application components 34.1 and 34.2 are thus encrypted during the build operation by different encryption modules 42.1, 42.2. As further shown, both different respective decryption modules 46.1, 46.2 of the different build tool plugins 40.1, 40.2 are added to the improved application code 132 of the improved application 130 as added decryption modules 146.1, 146.2 during the build operation of the build tool 20 It is clear that, as described above, the added decryption modules 146.1 and 146.2 are respectively added to the improved application code 132 such that, when the improved application code 132 approaches the encrypted sensitive application component 34.1 during execution of the improved application 130, the added decryption module 146.1 inserted in the improved application code 132 is addressed to decrypt the encrypted application component 134.1. It is also clear that, as described above, when the improved application code 132 approaches the different encrypted application component 134.2 during execution of the improved application 130, the different decryption module 146.2 inserted into the improved application code 132 is called to automatically encrypt the application code 134.2 of the improved application 130.
According to this embodiment, for example similar to what is described above, the sensitive application component 34.1 comprises, for example, data, for example, image data. The further sensitive application component 34.2 may, for example, comprise an alternative software code, for example further application code. The further application code of the sensitive application component 34.2 comprises, for example, a specific part of the general application code of application 30 for which a higher security level is desirable. By providing such further application code as such a sensitive application component 34.2 of the application 30, as shown, the build tool 20 will produce encrypted application component 134.2 during the build operation. Similar to what has been described above, both the encrypted component 34.1 and 34.2 will be added to the improved application 130 during the build operation as encrypted application components 134.1 and 134.2 encrypted using the respective encryption modules 42.1 and 42.2. The encrypted application component 134.2 comprising this further application code remains accessible during execution for the improved application code 132 of the improved application 130 by means of the associated added decryption module 146.2 which was added to the improved application code 132 during the build operation in a similar manner as above described.
[77] According to a specific embodiment, the sensitive application component 34.2 may comprise, for example, further application code, which is application code that is separate from the application code 32, for example provided in a separate file in the input software package of the application 30. Alternatively or additionally, the sensitive application component 34.2 may comprise, for example, further application code in a programming language that differs from the application code 32 of the application. According to such an embodiment, the application code 32 of the application 30 can be provided, for example, in Java source code or byte code, while the further application code of the sensitive application component 34 of the application can be provided, for example, in source code in a different programming language such as C, C ++, etc. or a type of bytecode that differs from the bytecode of the application code 32. According to yet a further embodiment, the sensitive application component 34.2 may comprise further application code comprising native code or machine code, comprising a set of programming instructions directly transmitted by the central processing unit or CPU of a computer can be performed, for example for the specific execution of critical parts of the application.
[78] According to alternative embodiments, such as, for example, shown in Figure 4, the encryption module 42 of a build-tool plugin 40 may comprise two or more encryption algorithms 44.1,44.2 instead of or in combination with two or more build-tool plugins 40. the decryption module 46 of this build-tool plugin 40 comprises two or more associated decryption algorithms 48.1, 48.2. Similar to what has been described above, with reference to Figure 3, the build tool 20 receives the application 30 including two sensitive application components 34.1 and 34.2 during the build operation. As shown, the build tool delivers these sensitive application components 34.1 and 34.2 to the encryption module 42 of the build tool plugin 40 during the build operation. The encryption module 42 of the build-tool plugin 40 will automatically encrypt these two different sensitive application components 34.1, 34.2 by means of different encryption algorithms 44.1, 44.2, respectively. In general, this means that the build-tool plugin, at different times during the build operation, is configured by means of its encryption module to encrypt application components using different encryption algorithms. The encryption module 42 of the build tool plugin 40 will automatically determine which of the encryption algorithms 44.1, 44.2 should be used when a sensitive application component 34.1, 34.2 is provided during the build operation. Similar to what has been described above, the build tool 20 also inserts the decryption module 46 of the build tool plugin 40, which includes the respective various associated decryption algorithms 48.1,48.2, into the improved application code 132 as an added decryption module 146 including associated added decryption algorithms 148.1 and 148.2 during the build operation. The build tool 20 thus adds the added decryption module 146 including various associated added decryption algorithms 148.1, 148.2 to the improved application code. During the build operation, the build tool 20 need not be aware of whether the encryption module 42 and the decryption module 46 include different encryption and decryption algorithms, respectively. It is the build tool plugin 40 and its encryption module 42 that automatically determine the encryption algorithm to be used during the build operation. The build tool 20 inserts the added decryption module 146 during the build operation. The added decryption module 146 is added to the improved application code 132 in such a way that the added decryption module 146 automatically selects the associated added decryption algorithm 148.1, 148.2 when the improved application code 132 accesses the encrypted application component 134.1, 134.2 during execution of the improved application 130. This means that the added decryption module 146 in the improved application code 132 is configured in such a way that, while executing the improved application 130, the encrypted application component 134.1 can be accessed by the improved application code 132 through the added decryption algorithm 148.1 of the added decryption module 146 in the improved application code 132, and in such a way that the encrypted application component 134.2 can be accessed by the improved application code 132 through the added decryption algorithm 48.2 of the added inserted decryption module 146 in the improved application code 132.
It is clear that still further alternative embodiments are possible, in particular with regard to the number of encryption algorithms 44 and associated decryption algorithms 48 and the number of sensitive application components 34, provided that, generally, when the build tool 20 is an application 30 comprising two or more sensitive application components 34.1, 34.2, the build system 10 at different times during the build operation receives at least two different sensitive application components 34.1, 34.2 encrypts by means of different encryption algorithms 44.1, 44.2. This in combination with adding, during the build operation, various associated decryption algorithms 48.1, 48.2 to the improved application code 132 as various associated added decryption algorithms 148.1 and 148.2 of an added decryption module 146.
[80] According to still further alternative embodiments, different encryption and decryption algorithms and / or different build tool plugins can be used at different times during the build operation. As long as the build system 10 generally encrypts two or more sensitive application components 34.1, 34.2 by means of different encryption modules 42.1, 42.2 and / or algorithms 44.1, 44.2 and the different associated decryption modules 46.1, 46.2 and / or decryption algorithms 48.1, 48.2 the improved application code 132 as added decryption module 146.1, 146.2 and / or added decryption algorithms 148.1, 148.2. Since the various added decryption modules and / or added decryption algorithms are added to the improved application code 132 by the build tool 20 in such a way that when the improved application code 132 of the improved application 130 executes the encrypted sensitive accessing application items 134, the associated added decryption module 146 and / or the associated added decryption algorithm 148 is called, it is not necessary to track which specific encryption module and / or which specific encryption algorithm was used for which specific sensitive application component 34 during the build operation. According to a preferred embodiment, the build system 10 randomly encrypts the sensitive application components 34.1,34.2 during the build operation by means of the different encryption modules 42.1, 42.2 and / or different algorithms 44.1, 44.2, since this minimizes the risk of detectable patterns in the improved ones application code 132 of the improved application, which could be a pointer for a hacker to gain access to the encrypted application components 134 of the improved application 130. However, it is clear that still further embodiments are possible wherein, for example, the build system 10 during the build operation encrypts the application components 34 of the application by means of different encryption modules 42.1,42.2 from different build tool plugins 40.1, 40.2 and / or different encryption algorithms 44.1, 44.2 depending on the data size or data type of the application component 34. This makes it bi For example, it is possible to use specific encryption modules and / or encryption algorithms that are optimized for dealing with a specific data size or data type. For example, for application components 34 with a data size that is smaller than a predetermined threshold, the encryption module and associated decryption module can be chosen with a more complex security algorithm than for application components with a data size that is larger than the threshold. This ensures, for example, a high security level for relatively small text strings comprising less than 10 kB of data, while the calculation efficiency is guaranteed when encrypting and decrypting, for example, larger image or video files comprising different MBs or GBs of data. This also makes it possible, for example, to use encryption and associated decryption modules optimized for use with a specific data type, for example, an image encryption module and decryption module optimized to process image data, an audio encryption module and decryption module optimized to process audio data, etc.
Still another embodiment of the build system 10 is shown schematically in Figure 5. This embodiment is similar to that of Figure 1 and similar elements have similar references and generally function in a similar manner. According to this embodiment, the build-tool plugin 40 further comprises a security key generator 50. As shown, this security key generator 50 according to this embodiment generates a security key pair 52, 54. The security key generator 50 of the build-tool plugin 40 generates encryption keys 52 for during the build operation use by the encryption module 42. Moreover, during the build operation, the key generator also generates associated decryption keys 54. As shown, during the build operation, the build tool 20 uses the encryption module 42 which uses the encryption key 52 generated by the key generator 50 to encrypt the sensitive application component 34 of the application. Similar to what has been described above, this encrypted application component 34 is added by the build tool to the improved application 130 during the build operation. Moreover, the build tool 20 not only inserts the added decryption module 46 into the improved one during the build operation application code 132, but also adds the decryption key 54 supplied by the key generator 50 to the improved application code 132 as an added decryption key 154. During the build operation, the build tool adds the decryption key 54 to the improved application 130 in such a way that it can be used by the added decryption module 146 during execution of the improved application 130. According to the illustrated embodiment, the added decryption key 154 is inserted into the improved application code 132 of the improved application 130. During the build operation, the build tool adds 20 the added decryption keys 154 in such a way t o to the improved application 130 that when the added decryption keys 154 are accessed by the improved application code 132 during the execution of the improved application, the associated at least partially encrypted application component 134 is automatically decrypted by the associated added decryption module 146 using the associated added decryption keys 154.
[82] According to a further embodiment depicted in Figure 6, similar to that of Figure 5, during build operation, the key generator 50 of the build tool plugin 40 preferably generates different security key pairs 52.1, 54.1 and 52.2, 54.2 automatically. According to this embodiment, for example, a different encryption and associated decryption key is generated for each of the sensitive application components 34.1, 34.2. As shown during the build operation, the build tool adds the different decryption keys 54.1, 54.2 to the improved application 130 as added decryption keys 154.1 and 154.2. According to the illustrated embodiment, the added decryption keys are inserted into the improved application code 132, but according to alternative embodiments, the added decryption keys can be added to any suitable component of the improved application, such as the non-encrypted application component 36. Similar to what is described above, during the build operation, the build tool 20 inserts the different decryption keys 154.1, 154.2 into the enhanced application in such a way that during execution of the improved application 130, when the improved application code 132 requires access to a respective encrypted application component 134.1 or 134.2, this encrypted application component will be automatically decrypted by means of the added decryption module 146 and the respective associated added decryption key 154.1 or 154.2. It is clear that, as an alternative to using different keys for each application component 34, still further alternative embodiments are possible where the use of different added decryption keys in the improved application makes it even more difficult for a hacker to identify detectable patterns. According to such alternative embodiments, the key generator 50 automatically generates randomly different encryption and associated decryption keys at different times during the build operation, depending on the data size of the application component 34, depending on the data type of the application component 34, depending on each predetermined group of application components 34, etc. Since the type of security keys is typically closely associated with the specific encryption module and decryption module, it is also advantageous if different key generators 50 are provided and / or the key generator 50 generates different encryption and decryption keys during the build operation for each encryption module 42 and associated decryption module 46 from different build-tool plugins of the build system 10. Preferably when the system comprises a plurality of build-tool plugins, each build-tool plugin comprises a key generator to collaborate with its encryption module during the build operation and to provide decryption keys to the build tool during the build operation to be inserted into the enhanced application along with the decryption module.
[83] According to a specific advantageous embodiment, as shown in Figure 7, and similar to the embodiment in Figure 5, the build tool 20 adds the decryption key 54 to the improved application 130 as two separate added decryption key parts 155.1 and 155.2. According to this embodiment, as shown, the added decryption key 154 is formed by an added decryption key part 155.1 in the improved application code, while a further added decryption key part 155.2 is inserted in the added non-encrypted application component 136 of the improved application. It is clear that during the build operation the build tool adds the decryption key parts 155.1, 155.2 to the improved application in such a way that during the execution of the improved application the added decryption module 146 and the added decryption key parts 155.1, 155.2 can be automatically decrypted making the encrypted application component 134 when it is accessed by the improved application code 132. It is clear that, according to further embodiments, the added decryption keys 154 in the improved application code 132 can be obscured, for example, by the decryption key 54 on such a way to add to the improved application 130 that the added encryption key 154 is at least partially interwoven with another added decryption key 154. According to still further alternative embodiments, obfuscation can be obtained by, during the build operation, the decryption adding key 54 to the improved application 130 in such a way that the added decryption key 154 is at least partially interwoven with an added at least partially secured application component 134. It is clear that according to still further embodiments alternative or additional obfuscation steps can be applied, such as renaming methods and variables, hashing and mixing software code in such a way that it remains operational, but leads to a higher degree of difficulty for efficient dismantling, etc.
Figure 8 depicts yet a further embodiment similar to the embodiment of the build system of Figure 1. According to this embodiment, the build tool 20 for the decryption module 46 generates a build tool plugin 40 at different times during the build operation different variations of the added decryption module 146. For example, as shown, according to this embodiment, both sensitive application components 34.1 and 34.2 are encrypted by the same encryption module 42. The build tool will add the associated decryption module 46 as two different variations of the added decryption module 146.1 and 146.2, for example, both by means of a different obfuscation method.
[85] In general, there are various ways in which the build tool could generate the added decryption module 146. For example, the build tool can generate the added decryption module 146 as a copy of the decryption module 46, a converted version of the decryption module 46, a compiled version of the decryption module 46, an obsessed version of the decryption module 46, etc. and / or any other. suitable combination thereof.
[86] According to the embodiments of Figures 1 to 8, the application 30 is schematically represented as an application 30 comprising at least one sensitive application component 34 in addition to the application code 32. However, it is clear that, as shown in Figure 9, further alternative embodiments be possible wherein the application 30 comprises application code comprising at least one of the sensitive application components 34. In such embodiments, the sensitive application component 34 may, for example, be a sensitive part of the application code 32. According to some embodiments, the sensitive application component 34 may be, for example, an identifier, a name, a numeric identifier, an application resource identifier, an application asset identifier , etc. which is present in the application code 32 and which is considered a sensitive reference or a reference to sensitive data. It is clear that still further alternative embodiments of an application 30 are possible which comprise at least one sensitive application component 34 contained in the application code 32 and at least one sensitive application component 34 in addition to the application code 32.
[87] It is further also clear that, according to different embodiments, the build system 10 is capable of generating different embodiments of the improved application 130, for example an improved application wherein: the improved application code 132 includes at least one of the at least partially encrypted application components 134 as depicted in Figure 9; the improved application 130 comprises at least one at least partially encrypted application component 134 in addition to the improved application code 132, as shown in Figures 1 to 8. Still further alternative embodiments are possible, for example, embodiments in which the improved application 130 has at least one at least one includes partially encrypted application component 134 that is partially contained in the improved application code 132 and partially added to the improved application 130 in addition to the improved application code 132. In yet further embodiments, the improved application 130 may include at least two at least partially encrypted application components 134 that intertwined.
[88] According to the embodiments shown above, the application code 32 is schematically represented as a single component of the application 30, it is clear that alternative embodiments are possible in which the application code 32 is provided, for example, as a multiple number of different components, for example two class files including Java bytecode or two dex files including Dalvik bytecode. It should be understood that the same also applies to the improved application code 132 of the improved application 130 of the illustrated embodiments. According to alternative embodiments, the build tool 20 may also provide the improved application code 132 as a multiple number of different components of the improved application. It is clear that still further alternative embodiments are possible, provided that in general the build tool 20 receives an application 30 comprising at least one sensitive application component 34 and application code 32 during a build operation.
[89] Although according to the above-described embodiments, the encrypted sensitive application components 34 are schematically depicted as being fully encrypted, it is clear that alternative embodiments are possible, provided that generally the encrypted sensitive application components are encrypted.
[90] It is further also clear that, in general, the improved application 130 does not include an encryption module 42 and / or a reference to the encryption module 42. However, during execution, the improved application 130 is capable of automatically decrypting the encrypted application components by means of the added decryption modules 146.
Fig. 10 shows an embodiment of a computer-implemented method 100 for operating the build system 10 during a build operation as generally described above. Thus, the computer-implemented method is generally performed during a build operation 100. As shown in step 102, the build tool 20 receives the application 30 including the application code and at least one sensitive application component. In step 104, the build tool 20 and the encryption module 42 generate the at least one at least partially encrypted application component 134 based on the at least one sensitive application component 34. In step 106, the build tool 20 generates the associated added decryption modules 146 that must are inserted in the improved application code 132 generated in step 108. As shown in step 110, the build tool 20 thereby generates the improved application 130.
[92] During a subsequent execution 200 of the improved application 130, as shown in Figure 11, for example, during use by an end user on a suitable computer, the following steps are performed. In step 202, the improved application code 132 will be executed until the improved application code 132 requests access to an encrypted application component 134 in step 204. In step 206, access to this encrypted application component 134 is then provided by the associated added decryption module 146 in the improved application code 132 which automatically decrypts the at least partially encrypted application component 134. As shown, the execution of the improved application code 132 can then continue in step 202. It is clear that still further embodiments of the method for operating the build system 10 are possible, for example in line with the different embodiments of the build system 10 as described above and variations or combinations thereof.
It is clear that according to a specific preferred embodiment, the method of operating the build system as described with reference to Figure 10 is performed iteratively during a plurality of iterations. This means, for example, that the application 30 received by the build system 10 to perform a subsequent iteration of this method includes at least in part the improved application 130 generated by the build system 10 during a previous iteration of the method. This can be realized, for example, by delivering the improved application 130 generated by the build tool as an output software package 20, then during at least one further iteration as an input software package comprising an application 30 to the same or a different build tool 20 during the build operation. In this way, multiple independent security layers can be realized during the build operation. According to such an embodiment, during the build operation, for example during a first iteration, the method can generate an improved application 130 comprising an added decryption module 146 and an added decryption key 154, for example as shown in the embodiment of Figure 5. During a subsequent iteration, then continue the method by providing the improved application 130 generated by the build tool 20 according to the embodiment of Figure 5 as an application 30 for the build tool according to the embodiment of Figure 9. During this next iteration, the build tool 20 of the embodiment of Figure 9 select, for example, the added decryption module 146 or the added decryption key 154 of the improved application 130 generated during the previous iteration as a sensitive application component 34 of the application 30 for this next iteration. It is clear that subsequently during this next iteration, the build tool 20 of the embodiment of Figure 9 can generate, for example, at least partially encrypted application components 134 based on these selected application components 34. According to this embodiment, by concatenating or iterating execution of both embodiments of the build tool, ultimately providing an improved application 130 in which, for example, the added decryption key of a first iteration was further encrypted during a second iteration. By treating decryption modules and / or decryption keys added to an improved application as sensitive application components 34 during a subsequent iteration, a multi-level security level is achieved during the build operation. It is clear that this can be achieved without increasing the complexity of the build operation. It is also clear that, even when a multi-level encryption method is applied, decryption can be applied automatically and efficiently by the improved application itself during the execution of the improved application after subsequent distribution and without the need for any external resources.
Figure 12 shows a suitable computer system 300, 400 for hosting the build system 10 or any of its components such as the build tool 20, the build tool plugin 40, etc. as described with reference to the embodiments mentioned above. Computer system 300 can generally be configured as a suitable general-purpose computer and a bus 310, a processor 302, a local memory 304, one or more optional input interfaces 314, one or more optional output interfaces 316, a communication interface 312, a storage element interface 306 and one or more storage elements 308. Bus 310 can comprise one or more conductors that allow communication between the components of the computer system. Processor 302 can include any type of conventional processor or microprocessor that interprets and executes programming instructions. Local memory 304 may include a Random Access Memory (RAM) or any other type of dynamic storage device that stores information and instructions to be executed by processor 302 and / or a Read Only Memory (ROM) or any other type of static storage device that has static stores information and instructions for use by processor 302. Input interface 314 may include one or more conventional mechanisms that allow an operator to enter information into computer system 300, such as a keyboard 320, a mouse 330, a pen, voice recognition and / or or biometric mechanisms, etc. Output interface 316 may include one or more conventional mechanisms that output information to the operator, such as a display 340, a printer, a speaker, etc.
Communication interface 312 may include one or more transceiver-like mechanisms such as two 1 Gb Ethernet interfaces that enable computer system 300 to communicate with other devices and / or systems, for example, mechanisms to communicate with one or more other computer systems 400. The communication interface 312 of computer system 300 may be connected to such other computer system 400 by means of a LAN (local area network) or WAN (wide area network), such as the internet. Storage element interface 306 can include a storage interface such as a Serial Advanced Technology Attachment (SATA) interface or a Small Computer System Interface (SCSI) to connect bus 310 to one or more storage elements 308, such as one or more local disks, for example 1TB SATA disk drives and control reading and writing of data to and / or from these storage elements 308. Although the storage elements 308 are described above as a local disk, any other computer-readable media can generally also be used, such as a removable magnetic disk, optical storage media such as a CD or DVD-ROM, SSDs, flash memory cards, etc.
The build system 10 according to the above-mentioned embodiments can be implemented by means of a suitable build automation tool that is executed on a computer system 300 that is locally available to a developer, such as a personal computer, laptop, etc. or on a remotely accessible computer system such as one or more servers available to a multiple number of application developers. Alternatively, the build system 10 may also include build automation servers, for example, including web-based build tools that run build automation tools on a planned or triggered basis, for example, as a continuous integration server. It is clear that the components such as the build tool 20, the build tool plugin 40, the encryption module 42, the decryption module 46, etc. and their associated computer-implemented method can be implemented as programming instructions stored in the local memory 304 of the computer system 300 to be executed by its processor 302. Alternatively, these components may be stored on the storage element 308 or be accessible from another computer system 400 via the communication interface 312. In general, the build system 10 and the associated computer-implemented method is provided in this way as a computer program comprising software code adapted to implement this computer-implemented method when executed by a computer system. Alternatively, the build system 10 and the associated computer-implemented method can also be provided as a computer-readable storage medium comprising computer-executable instructions which, if implemented by a computer system, perform the computer-implemented method.
Although the present invention has been illustrated with reference to specific embodiments, it will be apparent to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be practiced with various modifications and modifications without leaving the scope of the invention. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being described by the appended claims and not by the foregoing description, and all modifications falling within the scope of the claims are therefore here included.
[97] In addition, the reader of this patent application will understand that the words "comprising" or "include" do not exclude other elements or steps, that the word "a" does not exclude a plural, and that a single element, such as a computer system, a processor or another integrated unit can perform the functions of different tools mentioned in the claims. Any references in the claims should not be construed as limiting the claims in question. The terms "first", "second", "third", "a", "b", "c" and the like, when used in the description or in the claims, are used to distinguish between similar elements or steps and do not necessarily describe a sequential or chronological order. Similarly, the terms "top", "bottom", "over", "under" and the like are used for the purposes of the description and do not necessarily refer to relative positions. It is to be understood that those terms are interchangeable under proper conditions and that embodiments of the invention are capable of functioning in accordance with the present invention in sequences or orientations other than described or illustrated above.

权利要求:
Claims (17)
[1]
CONCLUSIONS
A build system (10) for generating an improved application (130) comprising at least one encrypted application component (134) during a build operation, said build system (10) comprising: - a build tool (20) ) configured to receive an application (30) comprising application code (32) and at least one application component (34); and - at least one build tool plugin (40) coupled to said build tool (20) during a build operation, the build tool plugin (40) comprising an encryption module (42) and an associated decryption module (46), - the build tool (20) being configured to generate an improved application (130) during the build operation comprising at least one at least partially encrypted application component (134) and improved application code (132): - the at least one at least one partially encrypted application component (134) being generated by the encryption module (42) based on the at least one application component (34), and - the improved application code (132) being generated by the build tool (20) based on the application code ( 32) by respectively adding the associated decryption module (46) as an associated added decryption module (146) such that, during execution, when accessed by the improved application code (132), the b associated at least partially encrypted application component (134) is automatically decrypted by the associated added decryption module (146).
[2]
A build system according to claim 1, characterized in that the at least one application component (34) comprises one or more of the following: - data; - a reference to data; - software code, which, during execution, is accessed by the improved application code (132).
[3]
A build system according to claim 1 or 2, characterized in that the at least one application component (34) comprises one or more of the following: - data comprising or being representative of one or more of the following: - text data, string data, image data, audio data, video data, animation data, layout data, style data, color data, menu data, configuration data, metadata, tokens; - an application resource; - an application asset; - a reference to data comprising one or more of the following: - an identifier; - a name; - a numeric identifier; - an application resource identifier; - an application asset identifier; - software code comprising one or more of the following: - a part of the application code (32) - further application code, separate from the application code (32); - further application code in a programming language that differs from the application code (32); - native code; - bytecode; - source code.
[4]
A build system according to any one of the preceding claims, characterized in that the build tool (20) is configured to: - receive the application (30) as an input software package comprising the application code (32) and the ten at least one application component (34); and - generating the improved application (130) as an output software package comprising the improved application code (132) and the at least one at least partially encrypted application component (134).
[5]
A build system according to any one of the preceding claims, characterized in that the improved application (130) does not include an encryption module (42) and / or a reference to the encryption module (42).
[6]
A build system according to any one of the preceding claims, characterized in that the build tool (20) is configured to generate the added decryption module (146) as one or more of the following: - a copy of the decryption module ( 46); - a converted version of the decryption module (46); - a compiled version of the decryption module (46); - an obsessed version of the decryption module (46).
[7]
A build system according to any one of the preceding claims, characterized in that the build tool (20) is further configured to add the decryption module (46) to the improved application (130) during the abdominal operation additional decryption module (146) comprising two or more separate decryption module components (147.1, 147.2) at different locations in the improved application code (132).
[8]
A build system according to any one of the preceding claims, characterized in that: - the build system (10) comprises two or more build tool plugins (40), the build tool (20) being configured to using a different build-tool plugin (40) at different times during the build operation; and / or that - the build tool (20) is configured to generate different variations of the added decryption module (146) for a decryption module (46) of a build-tool plugin (40) at different times during the build operation.
[9]
A build system according to any one of the preceding claims, characterized in that: - the encryption module (42) comprises two or more encryption algorithms (44) and the decryption module (46) comprises two or more associated decryption algorithms (48), and that - the build system (10) is further configured at different times during the build operation to: - encrypt application components (34) by means of different encryption algorithms (44.1,44.2); and - adding various associated added decryption algorithms (148.1, 148.2) to the improved application code (132) generated from the various associated decryption algorithms (48.1,48.2).
[10]
A build system according to claim 8 or 9, characterized in that the build system (10) is further configured to encrypt the application components (34) by means of the different build tool plugins (40) and / or different encryption algorithms (44.1, 44.2) according to one or more of the following: - random; - depending on the data size of the application component (34); - depending on the data type of the application component (34); - depending on one or more properties of the application component (34).
[11]
A build system according to any one of the preceding claims, characterized in that the build tool plugin (40) further comprises a security key generator (50) configured to generate encryption keys (52) for use by the encryption module (42) during the build operation and associated decryption keys (54) for use by the added decryption module (146) during execution, and wherein the build tool (20) is further configured to generate the improved application (130) during the build operation by adding the decryption keys (54) as added decryption keys (154) so that during execution, when accessed by the enhanced application code (132), the associated at least partially encrypted application component (134) is automatically decrypted by the associated added decryption module ( 146) using the associated added decryption keys (154).
[12]
A build system according to claim 11, characterized in that the key generator (50) is further configured to automatically generate various encryption and associated decryption keys (52, 54) during the build operation: random; - depending on the data size of the application component (34); - depending on the data type of the application component (34); - depending on one or more properties of the application component (34); - for each application component (34); - for each predetermined group of application components (34); and / or - for each encryption module (42) and associated decryption module (46), the build tool (20) being configured to generate the improved application (130) such that, during execution, the various added decryption keys (154) are accessed by the associated added decryption module (146) when the associated at least partially encrypted application component (134) is automatically decrypted.
[13]
A build system according to claim 11 or 12, characterized in that the build tool (20) is further configured to add the decryption key (54) to the improved application (130) during the build operation: an added decryption key (154) comprising two or more decryption key components (155.1, 155.2) at different locations in the improved application (130); and / or - as an added decryption key (154) that is at least partially intertwined with another added decryption key (154) and / or an added at least partially secure application component (134).
[14]
A build system according to any one of the preceding claims, characterized in that the build system is further configured to receive an application (30) of which: - the application code (32) comprises at least one of the application components (34) ; and / or - the application (30) comprises at least one application component (34) on top of the application code (32), and / or that the build system is further configured to generate an improved application (130) of which: - the improved application code (132) comprises at least one of the at least partially encrypted application components (134); - the improved application (130) comprises at least one at least partially encrypted application component (134) in addition to the improved application code (132); - the improved application (130) comprises at least one at least partially encrypted application component (134) that is partially contained in the improved application code (132) and partially added to the improved application (130) in addition to the improved application code (132); and / or - the improved application (130) comprises at least two at least partially encrypted application components (134) intertwined.
[15]
A computer-implemented method for operating a build system (10) according to any one of the preceding claims, wherein the method comprises the following steps: - the build tool (20) receives the application (30) comprising application code (32) and the at least one application component (34); - the build tool (20) generates an improved application (130) comprising at least one at least partially encrypted application component (134) and improved application code (132) during the build operation: - wherein the encryption module (42) comprises the at least one generates at least partially encrypted application component (134) based on the at least one application component (34), and - wherein the build tool (20) generates the improved application code (132) based on the application code (32) by the associated add decryption module (46) as an associated added decryption module (146) so that, during execution, when accessed by the enhanced application code (132), the associated at least partially encrypted application component (134) is automatically decrypted by the associated added decryption module ( 146).
[16]
A computer-implemented method according to claim 15, the method comprising the steps of performing the method to operate the build system iteratively, so that the application (30) received by the build system for a subsequent iteration to perform the method of operating the build system comprises at least the improved application (130) generated by the build system during a previous iteration of the method of operating the build system.
[17]
A computer-implemented method according to claim 16, characterized in that the method comprises the following steps: - selecting, as application components (34) for the next iteration, at least one added decryption module (146) and / or a added decryption key (154) of the improved application (130) generated during the previous iteration; and generating at least partially encrypted application components (134) based on these selected application components (34) during the next iteration.

类似技术:

公开号 | 公开日 | 专利标题

BE1023400B1|2017-03-08|A BUILD SYSTEM

KR102107872B1|2020-05-07|Compiler based obfuscation

US7730542B2|2010-06-01|Protecting software from unauthorized use by converting source code modules to byte codes

US7447912B2|2008-11-04|Protecting digital goods using oblivious checking

JP5460699B2|2014-04-02|System and method for generating a white-box implementation of a software application

US7054443B1|2006-05-30|System and method for protecting digital goods using random and automatic code obfuscation

US8539459B2|2013-09-17|Code obfuscation and controlling a processor by emulation

US20050066181A1|2005-03-24|Method for watermarking computer programs

WO2015150391A1|2015-10-08|Software protection

US20080288921A1|2008-11-20|Transformations for Software Obfuscation and Individualization

US20110271350A1|2011-11-03| method for protecting software

US8583938B2|2013-11-12|From polymorphic executable to polymorphic operating system

CN106663025A|2017-05-10|Method, apparatus, and computer-readable medium for obfuscating execution of application on virtual machine

CN102982262B|2015-11-25|For the security mechanism of operating system developed

EP1734459A2|2006-12-20|Method for creating unique identification for copies of executable code and management thereof

EP3398103B1|2019-08-21|A build system with plugins for encryption of application components

US11256786B2|2022-02-22|Method to secure a software code

KR101845155B1|2018-04-03|Method and system for providing application package and method and system for executing application

KR20200041524A|2020-04-22|Apparatus and method for packing original source code

JP6752347B1|2020-09-09|Information processing equipment, computer programs and information processing methods

Veseli2011|HIKOS-Highly Secure, Intelligent Software Copy-Protection

Nilsson2007|License protection for high-end software

Na et al.0|RESERACH ON THE REVERSE ANALYSIS METHOD OF MALWARES-THE EXAMPLE OF “LURKER”

同族专利:

公开号 | 公开日

WO2017114931A1|2017-07-06|

US20180373848A1|2018-12-27|

EP3188063A1|2017-07-05|

US10713339B2|2020-07-14|

引用文献:

公开号 | 申请日 | 公开日 | 申请人 | 专利标题

GB2349250A|1998-02-13|2000-10-25|Nat Computer Board|Method for protecting bytecode|

WO2004023313A1|2002-09-04|2004-03-18|Fraunhofer Crcg, Inc.|Protecting mobile code against malicious hosts cross references to related applications|

US9508218B2|2006-11-10|2016-11-29|Bally Gaming, Inc.|Gaming system download network architecture|

US20080320463A1|2007-06-25|2008-12-25|Harold Lee Peterson|System, method and computer-readable medium for enhanced user deletion of software from a computer|

JP5596159B2|2009-10-12|2014-09-24|セーフネットインコーポレイテッド|Software license embedded in shellcode|

EP2467800B1|2009-11-13|2021-06-30|Irdeto B.V.|System and method to protect java bytecode code against static and dynamic attacks within hostile execution environments|

US20140173759A1|2012-12-17|2014-06-19|Microsoft Corporation|Rights-managed code|

US8725645B1|2013-01-04|2014-05-13|Cetrus LLC|Non-invasive metering system for software licenses|US10394554B1|2016-09-09|2019-08-27|Stripe, Inc.|Source code extraction via monitoring processing of obfuscated byte code|

CN108777611B|2018-05-11|2021-06-18|吉林大学|Bidirectional linked list sequential encryption and decryption method based on double-key stream cipher|

CN110780884A|2019-09-05|2020-02-11|腾讯科技（深圳）有限公司|Information processing method, device and equipment|

CN111159658A|2019-12-16|2020-05-15|广州三七互娱科技有限公司|Byte code processing method, system, device, computer equipment and storage medium|

法律状态:
2021-02-03| RC| Pledge established (pawning)|Free format text: DETAILS PLEDGE: RIGHT OF PLEDGE, ETABLI Name of requester: PNC BUSINESS CREDIT Effective date: 20201201 |

优先权:

申请号 | 申请日 | 专利标题

EP15202885.8|2015-12-29|

EP15202885.8A|EP3188063A1|2015-12-29|2015-12-29|A build system|

[返回顶部]