Alipay+Alipay+

Client Software Security Requirements

This document sets security requirements for QR code scanning client software used on mobile devices, including lifecycle management, functional security, software protection, data security, and communication security.

Lifecycle management

Security requirements analysis

Based on QR code application scenarios, the security requirements for client software shall be analyzed to identify security assets, assess security threats and risks, and establish security objectives, which is for guiding client software security modeling, vulnerabilities identification, and security design improvement.

Client software development

The security requirements for development process include but not limited to the following:

  1. The client software development should follow the security development lifecycle.
  2. Secret keys shall not be hard-coded in client software.
  3. If client software is developed in a modular manner, modules shall be invoked in accordance with requirements including but not limited to:
    1. For open APIs provided by QR code processing module, security and validity of incoming parameters shall be checked to prevent the APIs from being maliciously called.
    2. The open APIs of QR code processing module shall follow the principle of least privilege.
    3. Modules with important functions or related to security or user sensitive data shall not have open APIs.
    4. Sensitive data or security-related data shall not be transmitted or processed through an API that is open or uncontrolled.
    5. To integrate or call services from a third-party or open source SDK, security audits and scans shall be performed on the SDK or its source codes beforehand to prevent security risks brought by the SDK.
    6. The client software shall perform security detection on the resource files or links to be opened.
  1. Software protection measures shall be provided to protect sensitive data and the program logic processing it, such as security reinforcement methods (e.g., obfuscation, shell, and constant encryption), and security component solutions (e.g., white-box cryptography), to prevent attacks such as static analysis, reverse engineering, or debugging.
  2. For client software compiling:
    1. The development tools and compilers shall be downloaded from official sources and upgraded to the officially recommended version.
    2. The compiling environment shall be isolated from the open internet to prevent compiled files from hostile attacks, replacements or hijacking, and the device and operating system where the compiling environment is deployed shall be protected from viruses, Trojans and other threats.

Client software testing

Security requirements for client software include but not limited to:

  1. Client software shall be strictly and comprehensively tested prior to release, to guarantee that there are no known vulnerabilities.
  2. Vulnerability and malicious code scanning tools should be used to identify potential security vulnerabilities.

Client software release

Security requirements for client software release include:

  1. Codes shall be purified before client software release or enablement, so as to ensure that useless codes or information will not cause risks or be exploited by attackers. The useless codes or information include but not limited to code comments, code logic and resource files that services do not need to call upon, testing accounts and passwords, and unnecessary log codes or records.
  2. Release channels for client software meet the following requirements:
    1. If client software is released from proprietary official channel, the installation package and security validation information shall be provided on the official channel, and other release channels should be indicated in a prominent position on the official website.
    2. If client software is released through other channels such as third-party APP stores, only those that are properly certified or bearing market credibility shall be selected.
    3. Client software should be periodically downloaded from its release channels for verification and detection to prevent the installation package from being modified. If any anomaly is detected, effective measures shall be taken immediately to remove the modified or counterfeit package or to provide risk warnings.

Client software installation

Security requirements for client software installation include:

  1. Client software can be downloaded or installed on the mobile devices only after user permission.
  2. Client software shall be installed in a user-visible manner and an installation screen showing the installation progress is recommended.
  3. A clear risk warning should be provided before installation, and a separate installation directory,application identifier, and version number shall be given during installation.

Client software updates

New version development

Security requirements for new version development include:

  1. A reporting and approval process of update control shall be established, and the update procedure should be recorded, with all documents and records being safe-kept.
  2. Strictly functional and security testing should be performed before new version release.

Version update

Security requirements for client software version update include:

  1. User should be prompted if there is a version update, and the software shall be updated only after user permission.
  2. If the update fails, the software shall be able to recover to the version before the update.

Dynamic module update

Security requirements for dynamic module update include:

  1. An encrypted secure channel should be used for updated module transmission from server.
  2. Signature validation should be performed on the updated module package.

Functional security

QR code scanning security

When client software scans and analyzes the merchant-presented QR code, it shall have security measures to verify whether the content of the QR code is secure and valid, e.g., identifying whether it contains malicious codes or points to a phishing website. For QR code identified with risks, the client software shall have corresponding risk handling mechanisms, e.g., prompting the user of the risks or preventing malicious code execution.

Message pushing

Messages pushed by client software shall not contain any user sensitive data, such as authentication information used for login or query.

Software security protection

Environment detection

Security requirements for runtime environment detection include:

  1. Client software shall have the ability to detect the runtime environment status, which includes whether the operating system administrator privilege is obtained by an unauthorized user, and whether the runtime environment is trusted.
  2. Client software shall have processing mechanisms when exceptions are detected, such as prompting the user, reporting to the server, shutting down the application, or deleting user authentication credentials.

Self-protection

Security requirements for client software self-protection include:

  1. Client software shall adopt technical means to enhance its anti-corruption ability, such as code obfuscation, shell protection, to prevent attackers from decompiling, debugging, and modifying the codes.
  2. Client software shall have the ability to perform integrity checks on codes and files when running, e.g., to check installation package signatures. When it is found to be modified, software operations should be terminated to prevent users from being attacked by malicious applications or pirated applications implanted with malicious codes.
  3. Client software shall have anti-injection mechanisms for its own codes, to prevent malicious attackers from injecting clients, tracking the code debugging process, modifying the code logic and intercepting sensitive data.

Vulnerability management

Security requirements for client software vulnerability management include:

  1. Use of external code snippets and components with exposed vulnerabilities shall be avoided during client software development.
  2. After client software is released, the developer shall periodically scan the client software for vulnerabilities detection, check security vulnerabilities disclosed by individuals or organizations such as public vulnerabilities platforms, white hats, and shall fix any detected vulnerabilities timely.

Data security

Data input

Security requirements for data input to the client software include:

  1. For user input data, especially sensitive data such as passwords, ID number, and bank card numbers entered in the client software by users:
    1. Effective measures shall be adopted to protect user-entered data from being collected, stolen, and tampered with by third-party applications.
    2. Secure keyboards should be used as user input interfaces, which can be the client software's built-in secure keyboard or trusted user interfaces supported by mobile devices.
    3. User-entered sensitive data such as passwords shall not be displayed in plain text and form in the client software. Sensitive data such as ID number and bank card numbers shall be partially concealed when displayed.
  1. Data validity verification function shall be provided by software, to check the validity of input key data from user interface or communication interface based on the software interface design, including the length, type, and format, should be checked.

Data storage

Security requirements for data storage include:

  1. User sensitive data shall not be stored in the client software if not necessary. For locally stored sensitive data, cryptographic algorithms with enough strength should be adopted to protect the data.
  2. Secret keys shall not be stored in plain text in client software, they shall be protected using appropriate approaches such as fragmented storage and white box cryptography.

Data deletion

Security requirements for data deletion include:

  1. All QR codes related data stored locally shall be permanently deleted when the client software is uninstalled.
  2. Options should be provided to users for completely deleting user sensitive data stored in software.

Data access control

The client software shall have access control mechanisms to locally stored data, to ensure unauthorized APPs will not have access to stored data.

Communication security

Security requirements for communication include:

  1. Client software and server shall use security protocols and encryption algorithms with enough strength for secure and reliable data interaction, to ensure the communication channel security between the client and server.
  2. Secure and reliable mutual authentication should be performed when establishing communication channel between client software and server, and the authenticated communication channel should be kept secure connection state during the communication.
  3. Security protocols shall be updated to the latest stable versions timely.
  4. Data transmission between client software and other local entities or application threads shall be protected by digital signature and encryption methods, to ensure data confidentiality and integrity, and to prevent data from being monitored or tampered with during the transmission process.
  5. When sensitive data is transferred between the client software and server, dedicated keys should be used to protect data, to ensure the confidentiality of sensitive data during the transmission process.

More information

Security Guidelines for Merchant-Presented Mode