Ant Financial's End‑to‑End Mobile Security Architecture and Future Trends

Recent developments in mobile technology have created new demands for multi‑device, all‑scenario applications and stricter privacy compliance, presenting fresh challenges for terminal security.

Ant Security Lab responds with a three‑layer "Ant Terminal Security Three‑Dimensional Defense Zone" architecture that combines endpoint, edge, and cloud defenses to address these challenges.

During a recent presentation, Ant’s terminal security leader Wan Xiaofei introduced the panoramic view of six years of accumulated capabilities, revealing the three‑layer technical architecture and the construction ideas of an endpoint‑edge‑cloud collaborative risk control system.

The core challenges identified are: (1) balancing security and user experience as risk‑control consumes resources and may disrupt service; (2) achieving proactive and precise risk prevention across the request lifecycle; and (3) meeting evolving data‑privacy and personal‑information protection requirements.

Ant’s solution is divided into three evolutionary stages: the first focuses on strengthening endpoint attack‑defense; the second explores endpoint‑cloud collaboration, shifting part of risk analysis to the device to reduce cloud load while maintaining strict decision standards; the third emphasizes trusted endpoints, leveraging hardware‑based trusted execution environments, secure storage, and confidential computing.

The architecture defines three defense zones—ecosystem (partner devices), app, edge (gateway), and cloud—forming a layered, parallel‑slice security model that blocks risks at their source rather than funneling everything to the cloud.

Key innovations include the AntDTX trusted middleware, which combines software SDKs with hardware‑based trusted components to provide trusted computing, secure storage, biometric protection, and one‑device‑one‑key capabilities, supporting risk governance, trusted storage, and AIoT scenarios.

Future trends highlighted are stricter privacy regulations, dynamic risk confrontation, diversified traffic entry points, increased on‑device risk governance, the emergence of native trusted endpoints as industry standards, and the potential of trusted devices to become universal digital identity credentials.