关于android:教你如何高效的检查APK中使用敏感权限的地方以及检查某系统方法被调用的地方

44次阅读

共计 7579 个字符,预计需要花费 19 分钟才能阅读完成。

前言

置信最近在 App 上架利用商店的同学都感触到了,国内对用户的隐衷越来越器重,如 MAC 地址,设施 ID,IMEI 信息等,要么就罗唆不必,要么就必须很显著的通知用户想要获取这些信息,相干法律及规定,参考《网络安全法》及《对于发展 APP 侵害用户权利专项整治工作的告诉》

单刀直入

废话不多说,找了几个反编译工具,并简略看了下应用办法,最终锁定 androguard,官网解释:对 Android 应用程序的逆向工程、恶意软件和恶意软件剖析,它提供了一系列的 Apk 以及 dex、odex、arsc 等文件的剖析解决性能,能够轻松的帮忙咱们找到调用零碎权限的中央。且 python 脚本执行,几乎不能再好用了

环境

  • python

    https://www.python.org
  • pycharm

    https://www.jetbrains.com/pycharm/download/
  • androguard

    https://androguard.readthedocs.io/en/latest/

    装置

    pip install -U androguard

    如果想在命令行间接操作,请在装置完后执行如下:

    androguard analyze

    执行后如图:

    而后再加载 apk,在下面执行后,输出如下:

    a, d, dx = AnalyzeAPK("examples/android/abcore/app-prod-debug.apk")

    apk 加载实现后就能够调用相干 api 来获取信息

    获取权限

    In [2]: a.get_permissions()
    Out[2]:
    ['android.permission.INTERNET',
     'android.permission.WRITE_EXTERNAL_STORAGE',
     'android.permission.ACCESS_WIFI_STATE',
     'android.permission.ACCESS_NETWORK_STATE']

    获取 Activity

    In [3]: a.get_activities()
    Out[3]:
    ['com.greenaddress.abcore.MainActivity',
     'com.greenaddress.abcore.BitcoinConfEditActivity',
     'com.greenaddress.abcore.AboutActivity',
     'com.greenaddress.abcore.SettingsActivity',
     'com.greenaddress.abcore.DownloadSettingsActivity',
     'com.greenaddress.abcore.PeerActivity',
     'com.greenaddress.abcore.ProgressActivity',
     'com.greenaddress.abcore.LogActivity',
     'com.greenaddress.abcore.ConsoleActivity',
     'com.greenaddress.abcore.DownloadActivity']

    其余

    # 包名
    In [4]: a.get_package()
    Out[4]: 'com.greenaddress.abcore'
    # app 名字
    In [5]: a.get_app_name()
    Out[5]: u'ABCore'
    # logo
    In [6]: a.get_app_icon()
    Out[6]: u'res/mipmap-xxxhdpi-v4/ic_launcher.png'
    # 版本号
    In [7]: a.get_androidversion_code()
    Out[7]: '2162'
    # 版本名
    In [8]: a.get_androidversion_name()
    Out[8]: '0.62'
    # 最低 sdk 反对
    In [9]: a.get_min_sdk_version()
    Out[9]: '21'
    # 最高
    In [10]: a.get_max_sdk_version()
    # 指标版本
    In [11]: a.get_target_sdk_version()
    Out[11]: '27'
    # 获取无效指标版本
    In [12]: a.get_effective_target_sdk_version()
    Out[12]: 27
    # manifest 文件
    In [13]: a.get_android_manifest_xml()
    Out[13]: <Element manifest at 0x7f9d01587b00>

    等等吧,Api 切实是太多了,还是关注官网文档吧,只有你想不到,没有它没有的,如下链接:

    https://androguard.readthedocs.io/en/latest/intro/gettingstarted.html#using-the-analysis-object

    更多 demo

https://github.com/androguard/androguard/tree/master/examples

上面间接开始实际。

检索应用敏感权限的中央并输入文件

上面就是查看 APK 中应用敏感权限的实现,请看:

import os
import sys

# 引入 androguard 的门路,依据集体寄存的地位而定
androguard_module_path = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'androguard')
if not androguard_module_path in sys.path:
    sys.path.append(androguard_module_path)

from androguard.misc import AnalyzeAPK
from androguard.core.androconf import load_api_specific_resource_module

path = r"/apk"
out_path = r"/out"
files = []
path_list = os.listdir(path)
path_list.sort()
for name in path_list:
    if os.path.isfile(os.path.join(path, name)):
        files.append(name)


def main():
    for apkFile in files:
        file_name = os.path.splitext(apkFile)[0]
        print(apkFile)
        out = AnalyzeAPK(path + '/' + apkFile)
        # apk object 形象 apk 对象,能够获取 apk 的一些信息,如版本号、包名、Activity 等
        a = out[0]
        # DalvikVMFormat 数组,一个元素其实对应的是 class.dex,能够从 DEX 文件中获取类、办法或字符串。d = out[1]
        # Analysis 剖析对象,因为它蕴含非凡的类,这些类链接无关 classes.dex 的信息,甚至能够一次解决许多 dex 文件,所以上面咱们从这外面来剖析整个 apk
        dx = out[2]

        # api 和权限映射
        # 输入文件门路
        api_perm_filename = os.path.join(out_path, file_name + "_api-perm.txt")
        api_perm_file = open(api_perm_filename, 'w', encoding='utf-8')
        # 权限映射 map
        permissionMap = load_api_specific_resource_module('api_permission_mappings')
        # 遍历 apk 所有办法
        for meth_analysis in dx.get_methods():
            meth = meth_analysis.get_method()
            # 获取类名、办法名
            name = meth.get_class_name() + "-" + meth.get_name() + "-" + str(meth.get_descriptor())
             
            for k, v in permissionMap.items():
                # 匹配零碎权限办法,匹配上就输入到文件中
                if name == k:
                    result = str(meth) + ':' + str(v)
                    api_perm_file.write(result + '\n')
        api_perm_file.close()


if __name__ == '__main__':
    main()

输入后果

Landroid/app/Activity;->navigateUpTo(Landroid/content/Intent;)Z : ['android.permission.BROADCAST_STICKY']
Landroid/app/Activity;->onMenuItemSelected(I Landroid/view/MenuItem;)Z : ['android.permission.BROADCAST_STICKY']
Landroid/app/Activity;->setRequestedOrientation(I)V : ['android.permission.BROADCAST_STICKY']
Landroid/app/Activity;->unregisterReceiver(Landroid/content/BroadcastReceiver;)V : ['android.permission.BROADCAST_STICKY']
Landroid/os/PowerManager$WakeLock;->acquire(J)V : ['android.permission.WAKE_LOCK']
Landroid/os/PowerManager$WakeLock;->release()V : ['android.permission.WAKE_LOCK']
Landroid/location/LocationManager;->isProviderEnabled(Ljava/lang/String;)Z : ['android.permission.ACCESS_COARSE_LOCATION', 'android.permission.ACCESS_FINE_LOCATION']
Landroid/location/LocationManager;->getLastKnownLocation(Ljava/lang/String;)Landroid/location/Location; : ['android.permission.ACCESS_COARSE_LOCATION', 'android.permission.ACCESS_FINE_LOCATION']
Landroid/app/ActivityManager;->getRunningTasks(I)Ljava/util/List; : ['android.permission.GET_TASKS']
Landroid/accounts/AccountManager;->invalidateAuthToken(Ljava/lang/String; Ljava/lang/String;)V : ['android.permission.MANAGE_ACCOUNTS', 'android.permission.USE_CREDENTIALS']
Landroid/net/ConnectivityManager;->getNetworkInfo(I)Landroid/net/NetworkInfo; : ['android.permission.ACCESS_NETWORK_STATE']
Landroid/net/ConnectivityManager;->isActiveNetworkMetered()Z : ['android.permission.ACCESS_NETWORK_STATE']
Landroid/net/ConnectivityManager;->getActiveNetworkInfo()Landroid/net/NetworkInfo; : ['android.permission.ACCESS_NETWORK_STATE']
Landroid/telephony/TelephonyManager;->getDeviceId()Ljava/lang/String; : ['android.permission.READ_PHONE_STATE']
Landroid/telephony/TelephonyManager;->getSubscriberId()Ljava/lang/String; : ['android.permission.READ_PHONE_STATE']
Landroid/telephony/TelephonyManager;->getSimSerialNumber()Ljava/lang/String; : ['android.permission.READ_PHONE_STATE']

输入的零碎类、调用办法、须要的权限。

检索某零碎办法被调用的中央并打印

import os
import sys

# 引入 androguard 的门路,依据集体寄存的地位而定
androguard_module_path = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'androguard')
if not androguard_module_path in sys.path:
    sys.path.append(androguard_module_path)

from androguard.misc import AnalyzeAPK
from androguard.core.androconf import load_api_specific_resource_module

path = r"/apk"
out_path = r"/out"
files = []
path_list = os.listdir(path)
path_list.sort()
for name in path_list:
    if os.path.isfile(os.path.join(path, name)):
        files.append(name)


def main():
    for apkFile in files:
        file_name = os.path.splitext(apkFile)[0]
        print(apkFile)
        out = AnalyzeAPK(path + '/' + apkFile)
        a = out[0]
        d = out[1]
        dx = out[2]

        for meth in dx.classes['Ljava/io/File;'].get_methods():
            print("usage of method {}".format(meth.name))
            # 拿到改函数的援用函数
            for _, call, _ in meth.get_xref_from():
            print("called by -> {} -- {}".format(call.class_name, call.name))

if __name__ == '__main__':
    main()

输入后果

usage of method getPath
  called by -> Landroid/support/v4/util/AtomicFile; -- <init>
usage of method <init>
  called by -> Landroid/support/v4/util/AtomicFile; -- <init>
usage of method delete
  called by -> Landroid/support/v4/util/AtomicFile; -- failWrite
  called by -> Landroid/support/v4/util/AtomicFile; -- delete
  called by -> Landroid/support/v4/util/AtomicFile; -- delete
  called by -> Landroid/support/v4/util/AtomicFile; -- startWrite
  called by -> Landroid/support/v4/util/AtomicFile; -- openRead
  called by -> Landroid/support/v4/util/AtomicFile; -- finishWrite
usage of method renameTo
  called by -> Landroid/support/v4/util/AtomicFile; -- openRead
  called by -> Landroid/support/v4/util/AtomicFile; -- failWrite
  called by -> Landroid/support/v4/util/AtomicFile; -- startWrite
usage of method exists
  called by -> Landroid/support/v4/util/AtomicFile; -- startWrite
  called by -> Landroid/support/v4/util/AtomicFile; -- openRead
  called by -> Landroid/support/v4/util/AtomicFile; -- startWrite
usage of method getParentFile
  called by -> Landroid/support/v4/util/AtomicFile; -- startWrite
usage of method mkdir
  called by -> Landroid/support/v4/util/AtomicFile; -- startWrite
  • ‘Ljava/io/File;’须要检测的类
  • meth.get_xref_from() 那该类中函数被援用的中央
  • 你也能够本人搞个数组,配置好要查看的相干函数,而后在下面代码中退出 if 过滤即可
    如果你想找 Android 零碎定位,被利用哪些办法调用,你就能够这样做:

    dx.classes['Landroid/location/LocationManager;']

    再运行一遍脚本就能够看到后果了。

    完结

    写这篇博客,次要目标是为了让更多人晓得这个货色吧,我本人去搜寻文章的时候发现并没有多少能够参考的,导致很多人无从下手,但其实官网文档也很具体,然而英文的,看起来也不不便,也心愿这篇简短的文章给你提供帮忙,如果有问题请再分割我或留言评论

    欢送关注新网站

  • http://jetpack.net.cn

正文完
 0