关于android:APK的更新安装隐藏解除隐藏

62次阅读

共计 11656 个字符,预计需要花费 30 分钟才能阅读完成。

一、用户装置的 apk 产生更新

public void registerReceiver(Context context) {Slog.d("PMSdddd", "systemReady1");
        IntentFilter filter = new IntentFilter();
        filter.addAction(Intent.ACTION_PACKAGE_ADDED);
        filter.addAction(Intent.ACTION_PACKAGE_CHANGED);
        filter.addAction(Intent.ACTION_PACKAGE_REPLACED);
        filter.addAction(Intent.ACTION_PACKAGE_REMOVED);
        filter.addDataScheme("package");
        BroadcastReceiver packgeMonitorReceiver = new BroadcastReceiver() {
            @Override
            public void onReceive(Context context, Intent intent) {final String action = intent.getAction();
                final String packageName =
intent.getData().getSchemeSpecificPart();
                final boolean replacing =
intent.getBooleanExtra(Intent.EXTRA_REPLACING, false);
                final boolean dataRemoved =
intent.getBooleanExtra(Intent.EXTRA_DATA_REMOVED, false);

                Slog.d("PMSdddd", "action:" + action + "packageName:"
+ packageName + "replacing:" + replacing
                        + "dataRemoved:" + dataRemoved);
            }
        };
        context.registerReceiver(packgeMonitorReceiver, filter);
    }

第 1 步,新装置 apk

adb install apk

Line 52701: 02-01 21:26:23.213  1727  1727 D PMSdddd : action: android.intent.action.PACKAGE_ADDED  packageName:com.adobe.reader  replacing:false  dataRemoved:false

第 2 步,hide 此 apk

adb shell pm hide apk

Line 53895: 02-01 21:28:22.043  1727  1727 D PMSdddd : action: android.intent.action.PACKAGE_REMOVED  packageName:com.adobe.reader  replacing:false  dataRemoved:false

第 3 步,adb install 更新
adb install -r apk

Line 54477: 02-01 21:29:41.550  1727  1727 D PMSdddd : action: android.intent.action.PACKAGE_REMOVED  packageName:com.adobe.reader  replacing:true  dataRemoved:false


Line 54512: 02-01 21:29:41.648  1727  1727 D PMSdddd : action: android.intent.action.PACKAGE_ADDED  packageName:com.adobe.reader  replacing:true  dataRemoved:false

第 4 步,再 unhide 此 apk

adb shell pm unhide apk

Line 55640: 02-01 21:32:25.651  1727  1727 D PMSdddd : action: android.intent.action.PACKAGE_ADDED  packageName:com.adobe.reader  replacing:false  dataRemoved:false

第 5 步,adb uninstall 卸载 apk

Line 61310: 02-01 21:52:36.395  1727  1727 D PMSdddd : action: android.intent.action.PACKAGE_REMOVED  packageName:com.adobe.reader  replacing:false  dataRemoved:true

总结:
hide 命令:零碎会发送播送 android.intent.action.PACKAGE_REMOVED,data 数据并不会删除
unhide 命令:零碎会发送播送 android.intent.action.PACKAGE_ADDED,data 数据不会删除

更新 apk 时:
零碎先发送播送 android.intent.action.PACKAGE_REMOVED,intent.getBooleanExtra(Intent.EXTRA_REPLACING, false) 获取的值为 true

零碎随后发送播送 android.intent.action.PACKAGE_ADDED,intent.getBooleanExtra(Intent.EXTRA_REPLACING, false) 获取的值也为 true

卸载 apk 时:
零碎发送播送 android.intent.action.PACKAGE_REMOVED,intent.getBooleanExtra(Intent.EXTRA_DATA_REMOVED, false)获取的值为 true

二、零碎 apk(位于:system/app 目录)产生更新

第 1 步,预置 apk(v1.0)到 system/app

adb push apk system/app

再复原出厂设置
第 2 步,adb install- r 更新 apk 到 v2.0

Line 8118: 02-02 02:55:59.428  1130  1130 D PMSdddd : action: android.intent.action.PACKAGE_REMOVED  packageName:com.example.ddd  replacing:true  dataRemoved:false


Line 8134: 02-02 02:55:59.501  1130  1130 D PMSdddd : action: android.intent.action.PACKAGE_ADDED  packageName:com.example.ddd  replacing:true  dataRemoved:false


Line 8281: 02-02 02:55:59.903  1130  1130 D PMSdddd : action: android.intent.action.PACKAGE_REPLACED  packageName:com.example.ddd  replacing:true  dataRemoved:false

更新后的 apk 装置在 data/app 目录:

    Line 8550: 02-02 05:12:10.806  1132  1228 I PackageManager: Update system package com.example.ddd code path from /system/operator/app/AndroidDemoV1.0.apk to /data/app/~~IYd549AfrGeHUc-lWfY8kg==/com.example.ddd-o9yTi7O1l3Cm3EhqTvf2Rw==; Retain data and using new
    Line 8550: 02-02 05:12:10.806  1132  1228 I PackageManager: Update system package com.example.ddd code path from /system/operator/app/AndroidDemoV1.0.apk to /data/app/~~IYd549AfrGeHUc-lWfY8kg==/com.example.ddd-o9yTi7O1l3Cm3EhqTvf2Rw==; Retain data and using new
    Line 8551: 02-02 05:12:10.808  1132  1228 I PackageManager: Update system package com.example.ddd resource path from /system/operator/app/AndroidDemoV1.0.apk to /data/app/~~IYd549AfrGeHUc-lWfY8kg==/com.example.ddd-o9yTi7O1l3Cm3EhqTvf2Rw==; Retain data and using new
    Line 8551: 02-02 05:12:10.808  1132  1228 I PackageManager: Update system package com.example.ddd resource path from /system/operator/app/AndroidDemoV1.0.apk to /data/app/~~IYd549AfrGeHUc-lWfY8kg==/com.example.ddd-o9yTi7O1l3Cm3EhqTvf2Rw==; Retain data and using new

第 3 步,Settings“利用信息”界面无奈卸载,没有卸载按钮(关上、停用、强行进行三个按钮)

总结:

零碎 apk 产生更新时,零碎顺次发送播送:action: android.intent.action.PACKAGE_REMOVED、action: android.intent.action.PACKAGE_ADDED、action: android.intent.action.PACKAGE_REPLACED

且 intent.getBooleanExtra(Intent.EXTRA_REPLACING, false) 获取的值为 true

Android 监听多用户切换,暗藏和禁用指定 Apk

IntentFilter filter = new IntentFilter();
        filter.addAction(Intent.ACTION_USER_SWITCHED);
        filter.addAction(Intent.ACTION_USER_ADDED);
        BroadcastReceiver mUserSwitchedReceiver = new BroadcastReceiver() {
            @Override
            public void onReceive(Context context, Intent intent) {final String action = intent.getAction();
                final int userId = intent.getIntExtra(Intent.EXTRA_USER_HANDLE, UserHandle.USER_NULL);
                if (userId == UserHandle.USER_NULL) {Slog.e("PMSdddd", "received an invalid EXTRA_USER_HANDLE");
                    return;
                }
                if (Intent.ACTION_USER_SWITCHED.equals(action) && userId > 0) {Slog.d("PMSdddd", "User switched to userId" + userId);
                    AsyncTask.execute(new Runnable() {
                        @Override
                        public void run() {Slog.d("PMSdddd", "install start11");
                            Sbbbbbbbbbbb.hideOtherBrandAppWhenUserSwitched();}
                    });
                } else if (Intent.ACTION_USER_ADDED.equals(action) && userId > 0) {Slog.d("PMSdddd", "Added User  userId" + userId);
                    AsyncTask.execute(new Runnable() {
                        @Override
                        public void run() {Slog.d("PMSdddd", "install start11");
Sbbbbbbbbbbb
.hideOtherBrandAppWhenUserSwitched();} }); } } }; mContext.registerReceiver(mUserSwitchedReceiver, filter);

是否暗藏和禁用 apk

/**
     * only hide app but don't delete user data
     *
     * @param pkgName
     */
    private void hide(String pkgName) {final PackageManager pm = mContext.getPackageManager();
        int userId = ActivityManager.getCurrentUser();
        pm.setApplicationHiddenSettingAsUser(pkgName, true, new UserHandle(userId));
        disableApplication(pkgName);
    }

    private void unhide(String pkgName) {final PackageManager pm = mContext.getPackageManager();
        int userId = ActivityManager.getCurrentUser();
        pm.setApplicationHiddenSettingAsUser(pkgName, false, new UserHandle(userId));
        enableApplication(pkgName);
    }

    private void disableApplication(String pkgName) {final PackageManager pm = mContext.getPackageManager();
        try {int state = pm.getApplicationEnabledSetting(pkgName);
            Slog.d(TAG, "disableApplication state:" + state + "pkgName:" + pkgName);
            if (state == PackageManager.COMPONENT_ENABLED_STATE_DISABLED)
                return;
            pm.setApplicationEnabledSetting(pkgName, PackageManager.COMPONENT_ENABLED_STATE_DISABLED, 0);
        } catch (IllegalArgumentException exeption) {Slog.w(TAG, "disableApplication error:" + exeption.getMessage());
        }
    }

    private void enableApplication(String pkgName) {final PackageManager pm = mContext.getPackageManager();
        try {int state = pm.getApplicationEnabledSetting(pkgName);
            Slog.d(TAG, "enableApplication state:" + state + "pkgName:" + pkgName);
            if (state == PackageManager.COMPONENT_ENABLED_STATE_ENABLED)
                return;
            pm.setApplicationEnabledSetting(pkgName, PackageManager.COMPONENT_ENABLED_STATE_ENABLED, 0);
        } catch (IllegalArgumentException exeption) {Slog.w(TAG, "enableApplication error:" + exeption.getMessage());
        }
    }

暗藏的 apk 或 disable 的 apk,信息保留在 /data/system/users/0/package-restrictions.xml 文件内

<pkg name="com.google.android.apps.maps" ceDataInode="4439" enabled="3" enabledCaller="com.android.settings" domainVerificationStatus="2" app-link-generation="4">

<pkg name="com.google.android.apps.maps" ceDataInode="4439" enabled="2" enabledCaller="android" domainVerificationStatus="2" app-link-generation="4">
<pkg name="com.amazon.appmanager" ceDataInode="4472" hidden="true" enabled="2" enabledCaller="android" />

<pkg name="com.google.android.apps.maps" ceDataInode="4439" enabled="3" enabledCaller="com.android.settings" domainVerificationStatus="2" app-link-generation="4">

apk 被 hide 后,保留的信息:hidden=”true”

apk 被 disable 后,依据 setApplicationEnabledSetting 传入的常量参数不同,enabled= 的值就会不同,如下介绍:

public static final int COMPONENT_ENABLED_STATE_DISABLED = 2;  // disable 利用时,若传入此参数,则利用在桌面没有图标,且在设置界面、应用程序列表外面也没有图标(利用齐全暗藏了)public static final int COMPONENT_ENABLED_STATE_DISABLED_USER = 3;  // disable 利用时,若传入此参数,则利用在桌面没有图标,然而在设置界面、应用程序列表外面有图标 (只是桌面图标暗藏了,设置外面仍能够看到图标,用户能够再次 enable 此利用)

另外:adb shell pm disable-user 利用包名:相当于传入的参数是 COMPONENT_ENABLED_STATE_DISABLED。

查看手机有哪些利用处于 disable 状态的办法:

办法 1:adb shell pm list packages -d

C:\Users\zzz>adb shell pm list packages -d
package:com.facebook.services
package:com.google.android.videos
package:com.facebook.appmanager

办法 2:adb shell pm dump packages > Desktop/log2.txt

enabled=2 —-> 示意利用处于 disable 状态,对应的值:COMPONENT_ENABLED_STATE_DISABLED

Package [com.facebook.appmanager] (a926214):
    userId=10098
    pkg=Package{9ae0abd com.facebook.appmanager}
    codePath=/system/app/appmanager
    resourcePath=/system/app/appmanager
    legacyNativeLibraryDir=/system/app/appmanager/lib
    primaryCpuAbi=arm64-v8a
    secondaryCpuAbi=null
    versionCode=277606887 minSdk=21 targetSdk=30
    versionName=67.3.0
    splits=[base]
    apkSigningVersion=2
    applicationInfo=ApplicationInfo{9ae0abd com.facebook.appmanager}
    flags=[SYSTEM HAS_CODE ALLOW_CLEAR_USER_DATA]
    privateFlags=[PRIVATE_FLAG_ACTIVITIES_RESIZE_MODE_RESIZEABLE_VIA_SDK_VERSION ALLOW_AUDIO_PLAYBACK_CAPTURE HAS_DOMAIN_URLS PRIVATE_FLAG_ALLOW_NATIVE_HEAP_POINTER_TAGGING]
    forceQueryable=false
    queriesIntents=[Intent { act=com.facebook.secure.packagefinder.intent.ACTION_QUERY_PACKAGES}]
    dataDir=/data/user/0/com.facebook.appmanager
    supportsScreens=[small, medium, large, xlarge, resizeable, anyDensity]
    timeStamp=2021-07-12 23:30:37
    firstInstallTime=2021-07-12 23:30:37
    lastUpdateTime=2021-07-12 23:30:37
    signatures=PackageSignatures{18e58b2 version:2, signatures:[c4e416cc], past signatures:[]}
    installPermissionsFixed=true
    pkgFlags=[SYSTEM HAS_CODE ALLOW_CLEAR_USER_DATA]
    declared permissions:
      com.facebook.appmanager.ACCESS: prot=signature, INSTALLED
      com.facebook.appmanager.API_ACCESS: prot=normal, INSTALLED
    install permissions:
      android.permission.DOWNLOAD_WITHOUT_NOTIFICATION: granted=true
      android.permission.FOREGROUND_SERVICE: granted=true
      android.permission.RECEIVE_BOOT_COMPLETED: granted=true
      android.permission.INTERNET: granted=true
      android.permission.GET_PACKAGE_SIZE: granted=true
      com.facebook.appmanager.ACCESS: granted=true
      android.permission.ACCESS_NETWORK_STATE: granted=true
      android.permission.ACCESS_WIFI_STATE: granted=true
      android.permission.WAKE_LOCK: granted=true
    User 0: ceDataInode=4785 installed=true hidden=false suspended=false distractionFlags=0 stopped=false notLaunched=false enabled=2 instant=false virtual=false
    overlay paths:
      /product/overlay/NavigationBarModeGestural/NavigationBarModeGesturalOverlay.apk
      lastDisabledCaller: android
      gids=[3003]

查看哪些利用属于零碎签名?

办法:adb shell pm dump packages > Desktop/log2.txt

包名为 ”android” 的 apk 属于平台 apk,必定是零碎签名,首先看一下包名为 ”android” 的 apk 的签名信息:

 Package [android] (ad28bfa):
    userId=1000
    sharedUser=SharedUserSetting{769a3df android.uid.system/1000}
    pkg=Package{6103b22 android}
    codePath=/system/framework/framework-res.apk
    resourcePath=/system/framework/framework-res.apk
    legacyNativeLibraryDir=/system/lib64/framework-res
    primaryCpuAbi=arm64-v8a
    secondaryCpuAbi=null
    versionCode=30 minSdk=30 targetSdk=30
    versionName=11
    splits=[base]
    apkSigningVersion=3
    applicationInfo=ApplicationInfo{6103b22 android}
    flags=[SYSTEM PERSISTENT ALLOW_BACKUP]
    privateFlags=[PRIVATE_FLAG_ACTIVITIES_RESIZE_MODE_RESIZEABLE_VIA_SDK_VERSION ALLOW_AUDIO_PLAYBACK_CAPTURE DEFAULT_TO_DEVICE_PROTECTED_STORAGE DIRECT_BOOT_AWARE PRIVILEGED PRIVATE_FLAG_ALLOW_NATIVE_HEAP_POINTER_TAGGING]
    forceQueryable=true
    queriesPackages=[]
    dataDir=/data/system
    supportsScreens=[small, medium, large, xlarge, resizeable, anyDensity]
    timeStamp=2021-07-12 23:27:41
    firstInstallTime=2021-07-12 23:27:41
    lastUpdateTime=2021-07-12 23:27:41
    signatures=PackageSignatures{539b9b3 version:3, signatures:[a0521abc], past signatures:[]}
    installPermissionsFixed=true
    pkgFlags=[SYSTEM PERSISTENT ALLOW_BACKUP]
    declared permissions:
      android.permission.READ_CONTACTS: prot=dangerous, INSTALLED
      android.permission.WRITE_CONTACTS: prot=dangerous, INSTALLED
      ........

    User 0: ceDataInode=4316 installed=true hidden=false suspended=false distractionFlags=0 stopped=false notLaunched=false enabled=0 instant=false virtual=false
    overlay paths:
      /product/overlay/NavigationBarModeGestural/NavigationBarModeGesturalOverlay.apk

从下面信息能够看到,签名信息:signatures:[a0521abc],而后在 log2.txt 文件全局搜寻“a0521abc”,能够列出所有零碎签名的利用。

结语:后续会继续更新哦,喜爱的话点赞关注一下吧。
相干视频
【Android 进阶】APK 的加固优化

正文完
android
发表至: android
2021-12-13
 0
关于android:H264数据通过rtp分片发送
关于android:HMS-Core-能力速配唱响恋爱进行曲
关于android:MobPush-Android常见问题
关于android:由浅入深聊聊-LeakCanary-的那些事