Security Aspect: Extending Aspect‑Oriented Programming to Mobile and IoT Defense

At the 2020 BCS Beijing Cybersecurity Conference, Ant Group’s vice‑president introduced the company’s “security‑aspect” defense system, and later at the Bund Conference IoT security forum, Zhao Hao highlighted its value for IoT scenarios.

What is an aspect? An aspect, from Aspect‑Oriented Programming (AOP), allows dynamic addition of functionality without modifying source code, achieving decoupling between callers and callees and aggregating cross‑cutting concerns.

Security aspect extends this idea to security, building a parallel security layer that intertwines with business logic while remaining independent, enabling fine‑grained observation, attack‑defense, and “inner‑born” plus “decoupled” development.

The security‑aspect defense embeds a security layer throughout the app framework, with an independent rule engine and upgrade capability. All critical security‑related interfaces are protected, and calls are traced to assess risk.

Two illustrative problems are discussed:

Supply‑chain security: third‑party SDKs of varying quality introduce hidden malicious code, and operating‑system level isolation cannot separate app code from SDK code.

Security construction and governance: rapid business growth creates complex technical stacks, leading to security debt and governance bottlenecks that stall security work unless business releases occur.

The security‑aspect framework addresses these by allowing security mechanisms to interweave with business logic yet remain decoupled, enabling security governance without business releases and providing strong defensive capabilities.

Core capabilities of the security‑aspect defense:

Security logic integrated into the end‑application infrastructure.

Call‑chain reconstruction for deep security insight and tracing.

Code‑node analysis to identify fine‑grained roles within the app.

Decoupling from business code, allowing security updates independent of business releases.

When combined with IoT, security aspects bring several benefits:

Encapsulation of fragmented IoT security environments, offering a unified security surface.

Traceability of malicious behavior in hardware/software supply chains.

Soft isolation of risky modules through strong security controls.

Rapid response to security incidents.

In Alipay’s IoT business, the security‑aspect defense is already deployed in the IoT mini‑program architecture, providing environment encapsulation, a runtime sandbox, malicious behavior blocking, real‑time risk analysis, and fast incident response.

The article concludes with a light‑hearted note about the team’s “Aspect Ramen Group” that delivers diverse security solutions for inclusive and safe financial services.