共计 7579 个字符,预计需要花费 19 分钟才能阅读完成。
前言
置信最近在 App 上架利用商店的同学都感触到了,国内对用户的隐衷越来越器重,如 MAC 地址,设施 ID,IMEI 信息等,要么就罗唆不必,要么就必须很显著的通知用户想要获取这些信息,相干法律及规定,参考《网络安全法》及《对于发展 APP 侵害用户权利专项整治工作的告诉》
单刀直入
废话不多说,找了几个反编译工具,并简略看了下应用办法,最终锁定 androguard,官网解释:对 Android 应用程序的逆向工程、恶意软件和恶意软件剖析,它提供了一系列的 Apk 以及 dex、odex、arsc 等文件的剖析解决性能,能够轻松的帮忙咱们找到调用零碎权限的中央。且 python 脚本执行,几乎不能再好用了
环境
-
python
https://www.python.org -
pycharm
https://www.jetbrains.com/pycharm/download/ -
androguard
https://androguard.readthedocs.io/en/latest/装置
pip install -U androguard如果想在命令行间接操作,请在装置完后执行如下:
androguard analyze执行后如图:
而后再加载 apk,在下面执行后,输出如下:a, d, dx = AnalyzeAPK("examples/android/abcore/app-prod-debug.apk")apk 加载实现后就能够调用相干 api 来获取信息
获取权限
In [2]: a.get_permissions() Out[2]: ['android.permission.INTERNET', 'android.permission.WRITE_EXTERNAL_STORAGE', 'android.permission.ACCESS_WIFI_STATE', 'android.permission.ACCESS_NETWORK_STATE']获取 Activity
In [3]: a.get_activities() Out[3]: ['com.greenaddress.abcore.MainActivity', 'com.greenaddress.abcore.BitcoinConfEditActivity', 'com.greenaddress.abcore.AboutActivity', 'com.greenaddress.abcore.SettingsActivity', 'com.greenaddress.abcore.DownloadSettingsActivity', 'com.greenaddress.abcore.PeerActivity', 'com.greenaddress.abcore.ProgressActivity', 'com.greenaddress.abcore.LogActivity', 'com.greenaddress.abcore.ConsoleActivity', 'com.greenaddress.abcore.DownloadActivity']其余
# 包名 In [4]: a.get_package() Out[4]: 'com.greenaddress.abcore' # app 名字 In [5]: a.get_app_name() Out[5]: u'ABCore' # logo In [6]: a.get_app_icon() Out[6]: u'res/mipmap-xxxhdpi-v4/ic_launcher.png' # 版本号 In [7]: a.get_androidversion_code() Out[7]: '2162' # 版本名 In [8]: a.get_androidversion_name() Out[8]: '0.62' # 最低 sdk 反对 In [9]: a.get_min_sdk_version() Out[9]: '21' # 最高 In [10]: a.get_max_sdk_version() # 指标版本 In [11]: a.get_target_sdk_version() Out[11]: '27' # 获取无效指标版本 In [12]: a.get_effective_target_sdk_version() Out[12]: 27 # manifest 文件 In [13]: a.get_android_manifest_xml() Out[13]: <Element manifest at 0x7f9d01587b00>等等吧,Api 切实是太多了,还是关注官网文档吧,只有你想不到,没有它没有的,如下链接:
https://androguard.readthedocs.io/en/latest/intro/gettingstarted.html#using-the-analysis-object更多 demo
https://github.com/androguard/androguard/tree/master/examples上面间接开始实际。
检索应用敏感权限的中央并输入文件
上面就是查看 APK 中应用敏感权限的实现,请看:
import os
import sys
# 引入 androguard 的门路,依据集体寄存的地位而定
androguard_module_path = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'androguard')
if not androguard_module_path in sys.path:
sys.path.append(androguard_module_path)
from androguard.misc import AnalyzeAPK
from androguard.core.androconf import load_api_specific_resource_module
path = r"/apk"
out_path = r"/out"
files = []
path_list = os.listdir(path)
path_list.sort()
for name in path_list:
if os.path.isfile(os.path.join(path, name)):
files.append(name)
def main():
for apkFile in files:
file_name = os.path.splitext(apkFile)[0]
print(apkFile)
out = AnalyzeAPK(path + '/' + apkFile)
# apk object 形象 apk 对象,能够获取 apk 的一些信息,如版本号、包名、Activity 等
a = out[0]
# DalvikVMFormat 数组,一个元素其实对应的是 class.dex,能够从 DEX 文件中获取类、办法或字符串。d = out[1]
# Analysis 剖析对象,因为它蕴含非凡的类,这些类链接无关 classes.dex 的信息,甚至能够一次解决许多 dex 文件,所以上面咱们从这外面来剖析整个 apk
dx = out[2]
# api 和权限映射
# 输入文件门路
api_perm_filename = os.path.join(out_path, file_name + "_api-perm.txt")
api_perm_file = open(api_perm_filename, 'w', encoding='utf-8')
# 权限映射 map
permissionMap = load_api_specific_resource_module('api_permission_mappings')
# 遍历 apk 所有办法
for meth_analysis in dx.get_methods():
meth = meth_analysis.get_method()
# 获取类名、办法名
name = meth.get_class_name() + "-" + meth.get_name() + "-" + str(meth.get_descriptor())
for k, v in permissionMap.items():
# 匹配零碎权限办法,匹配上就输入到文件中
if name == k:
result = str(meth) + ':' + str(v)
api_perm_file.write(result + '\n')
api_perm_file.close()
if __name__ == '__main__':
main()
输入后果
Landroid/app/Activity;->navigateUpTo(Landroid/content/Intent;)Z : ['android.permission.BROADCAST_STICKY']
Landroid/app/Activity;->onMenuItemSelected(I Landroid/view/MenuItem;)Z : ['android.permission.BROADCAST_STICKY']
Landroid/app/Activity;->setRequestedOrientation(I)V : ['android.permission.BROADCAST_STICKY']
Landroid/app/Activity;->unregisterReceiver(Landroid/content/BroadcastReceiver;)V : ['android.permission.BROADCAST_STICKY']
Landroid/os/PowerManager$WakeLock;->acquire(J)V : ['android.permission.WAKE_LOCK']
Landroid/os/PowerManager$WakeLock;->release()V : ['android.permission.WAKE_LOCK']
Landroid/location/LocationManager;->isProviderEnabled(Ljava/lang/String;)Z : ['android.permission.ACCESS_COARSE_LOCATION', 'android.permission.ACCESS_FINE_LOCATION']
Landroid/location/LocationManager;->getLastKnownLocation(Ljava/lang/String;)Landroid/location/Location; : ['android.permission.ACCESS_COARSE_LOCATION', 'android.permission.ACCESS_FINE_LOCATION']
Landroid/app/ActivityManager;->getRunningTasks(I)Ljava/util/List; : ['android.permission.GET_TASKS']
Landroid/accounts/AccountManager;->invalidateAuthToken(Ljava/lang/String; Ljava/lang/String;)V : ['android.permission.MANAGE_ACCOUNTS', 'android.permission.USE_CREDENTIALS']
Landroid/net/ConnectivityManager;->getNetworkInfo(I)Landroid/net/NetworkInfo; : ['android.permission.ACCESS_NETWORK_STATE']
Landroid/net/ConnectivityManager;->isActiveNetworkMetered()Z : ['android.permission.ACCESS_NETWORK_STATE']
Landroid/net/ConnectivityManager;->getActiveNetworkInfo()Landroid/net/NetworkInfo; : ['android.permission.ACCESS_NETWORK_STATE']
Landroid/telephony/TelephonyManager;->getDeviceId()Ljava/lang/String; : ['android.permission.READ_PHONE_STATE']
Landroid/telephony/TelephonyManager;->getSubscriberId()Ljava/lang/String; : ['android.permission.READ_PHONE_STATE']
Landroid/telephony/TelephonyManager;->getSimSerialNumber()Ljava/lang/String; : ['android.permission.READ_PHONE_STATE']输入的零碎类、调用办法、须要的权限。
检索某零碎办法被调用的中央并打印
import os
import sys
# 引入 androguard 的门路,依据集体寄存的地位而定
androguard_module_path = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'androguard')
if not androguard_module_path in sys.path:
sys.path.append(androguard_module_path)
from androguard.misc import AnalyzeAPK
from androguard.core.androconf import load_api_specific_resource_module
path = r"/apk"
out_path = r"/out"
files = []
path_list = os.listdir(path)
path_list.sort()
for name in path_list:
if os.path.isfile(os.path.join(path, name)):
files.append(name)
def main():
for apkFile in files:
file_name = os.path.splitext(apkFile)[0]
print(apkFile)
out = AnalyzeAPK(path + '/' + apkFile)
a = out[0]
d = out[1]
dx = out[2]
for meth in dx.classes['Ljava/io/File;'].get_methods():
print("usage of method {}".format(meth.name))
# 拿到改函数的援用函数
for _, call, _ in meth.get_xref_from():
print("called by -> {} -- {}".format(call.class_name, call.name))
if __name__ == '__main__':
main()输入后果
usage of method getPath
called by -> Landroid/support/v4/util/AtomicFile; -- <init>
usage of method <init>
called by -> Landroid/support/v4/util/AtomicFile; -- <init>
usage of method delete
called by -> Landroid/support/v4/util/AtomicFile; -- failWrite
called by -> Landroid/support/v4/util/AtomicFile; -- delete
called by -> Landroid/support/v4/util/AtomicFile; -- delete
called by -> Landroid/support/v4/util/AtomicFile; -- startWrite
called by -> Landroid/support/v4/util/AtomicFile; -- openRead
called by -> Landroid/support/v4/util/AtomicFile; -- finishWrite
usage of method renameTo
called by -> Landroid/support/v4/util/AtomicFile; -- openRead
called by -> Landroid/support/v4/util/AtomicFile; -- failWrite
called by -> Landroid/support/v4/util/AtomicFile; -- startWrite
usage of method exists
called by -> Landroid/support/v4/util/AtomicFile; -- startWrite
called by -> Landroid/support/v4/util/AtomicFile; -- openRead
called by -> Landroid/support/v4/util/AtomicFile; -- startWrite
usage of method getParentFile
called by -> Landroid/support/v4/util/AtomicFile; -- startWrite
usage of method mkdir
called by -> Landroid/support/v4/util/AtomicFile; -- startWrite- ‘Ljava/io/File;’须要检测的类
- meth.get_xref_from() 那该类中函数被援用的中央
-
你也能够本人搞个数组,配置好要查看的相干函数,而后在下面代码中退出 if 过滤即可
如果你想找 Android 零碎定位,被利用哪些办法调用,你就能够这样做:dx.classes['Landroid/location/LocationManager;']再运行一遍脚本就能够看到后果了。
完结
写这篇博客,次要目标是为了让更多人晓得这个货色吧,我本人去搜寻文章的时候发现并没有多少能够参考的,导致很多人无从下手,但其实官网文档也很具体,然而英文的,看起来也不不便,也心愿这篇简短的文章给你提供帮忙,如果有问题请再分割我或留言评论
欢送关注新网站
- http://jetpack.net.cn
正文完