共计 11656 个字符,预计需要花费 30 分钟才能阅读完成。
一、用户装置的 apk 产生更新
public void registerReceiver(Context context) {Slog.d("PMSdddd", "systemReady1");
IntentFilter filter = new IntentFilter();
filter.addAction(Intent.ACTION_PACKAGE_ADDED);
filter.addAction(Intent.ACTION_PACKAGE_CHANGED);
filter.addAction(Intent.ACTION_PACKAGE_REPLACED);
filter.addAction(Intent.ACTION_PACKAGE_REMOVED);
filter.addDataScheme("package");
BroadcastReceiver packgeMonitorReceiver = new BroadcastReceiver() {
@Override
public void onReceive(Context context, Intent intent) {final String action = intent.getAction();
final String packageName =
intent.getData().getSchemeSpecificPart();
final boolean replacing =
intent.getBooleanExtra(Intent.EXTRA_REPLACING, false);
final boolean dataRemoved =
intent.getBooleanExtra(Intent.EXTRA_DATA_REMOVED, false);
Slog.d("PMSdddd", "action:" + action + "packageName:"
+ packageName + "replacing:" + replacing
+ "dataRemoved:" + dataRemoved);
}
};
context.registerReceiver(packgeMonitorReceiver, filter);
}第 1 步,新装置 apk
adb install apk
Line 52701: 02-01 21:26:23.213 1727 1727 D PMSdddd : action: android.intent.action.PACKAGE_ADDED packageName:com.adobe.reader replacing:false dataRemoved:false第 2 步,hide 此 apk
adb shell pm hide apk
Line 53895: 02-01 21:28:22.043 1727 1727 D PMSdddd : action: android.intent.action.PACKAGE_REMOVED packageName:com.adobe.reader replacing:false dataRemoved:false第 3 步,adb install 更新
adb install -r apk
Line 54477: 02-01 21:29:41.550 1727 1727 D PMSdddd : action: android.intent.action.PACKAGE_REMOVED packageName:com.adobe.reader replacing:true dataRemoved:false
Line 54512: 02-01 21:29:41.648 1727 1727 D PMSdddd : action: android.intent.action.PACKAGE_ADDED packageName:com.adobe.reader replacing:true dataRemoved:false第 4 步,再 unhide 此 apk
adb shell pm unhide apk
Line 55640: 02-01 21:32:25.651 1727 1727 D PMSdddd : action: android.intent.action.PACKAGE_ADDED packageName:com.adobe.reader replacing:false dataRemoved:false第 5 步,adb uninstall 卸载 apk
Line 61310: 02-01 21:52:36.395 1727 1727 D PMSdddd : action: android.intent.action.PACKAGE_REMOVED packageName:com.adobe.reader replacing:false dataRemoved:true总结:
hide 命令:零碎会发送播送 android.intent.action.PACKAGE_REMOVED,data 数据并不会删除
unhide 命令:零碎会发送播送 android.intent.action.PACKAGE_ADDED,data 数据不会删除
更新 apk 时:
零碎先发送播送 android.intent.action.PACKAGE_REMOVED,intent.getBooleanExtra(Intent.EXTRA_REPLACING, false) 获取的值为 true
零碎随后发送播送 android.intent.action.PACKAGE_ADDED,intent.getBooleanExtra(Intent.EXTRA_REPLACING, false) 获取的值也为 true
卸载 apk 时:
零碎发送播送 android.intent.action.PACKAGE_REMOVED,intent.getBooleanExtra(Intent.EXTRA_DATA_REMOVED, false)获取的值为 true
二、零碎 apk(位于:system/app 目录)产生更新
第 1 步,预置 apk(v1.0)到 system/app
adb push apk system/app
再复原出厂设置
第 2 步,adb install- r 更新 apk 到 v2.0
Line 8118: 02-02 02:55:59.428 1130 1130 D PMSdddd : action: android.intent.action.PACKAGE_REMOVED packageName:com.example.ddd replacing:true dataRemoved:false
Line 8134: 02-02 02:55:59.501 1130 1130 D PMSdddd : action: android.intent.action.PACKAGE_ADDED packageName:com.example.ddd replacing:true dataRemoved:false
Line 8281: 02-02 02:55:59.903 1130 1130 D PMSdddd : action: android.intent.action.PACKAGE_REPLACED packageName:com.example.ddd replacing:true dataRemoved:false更新后的 apk 装置在 data/app 目录:
Line 8550: 02-02 05:12:10.806 1132 1228 I PackageManager: Update system package com.example.ddd code path from /system/operator/app/AndroidDemoV1.0.apk to /data/app/~~IYd549AfrGeHUc-lWfY8kg==/com.example.ddd-o9yTi7O1l3Cm3EhqTvf2Rw==; Retain data and using new
Line 8550: 02-02 05:12:10.806 1132 1228 I PackageManager: Update system package com.example.ddd code path from /system/operator/app/AndroidDemoV1.0.apk to /data/app/~~IYd549AfrGeHUc-lWfY8kg==/com.example.ddd-o9yTi7O1l3Cm3EhqTvf2Rw==; Retain data and using new
Line 8551: 02-02 05:12:10.808 1132 1228 I PackageManager: Update system package com.example.ddd resource path from /system/operator/app/AndroidDemoV1.0.apk to /data/app/~~IYd549AfrGeHUc-lWfY8kg==/com.example.ddd-o9yTi7O1l3Cm3EhqTvf2Rw==; Retain data and using new
Line 8551: 02-02 05:12:10.808 1132 1228 I PackageManager: Update system package com.example.ddd resource path from /system/operator/app/AndroidDemoV1.0.apk to /data/app/~~IYd549AfrGeHUc-lWfY8kg==/com.example.ddd-o9yTi7O1l3Cm3EhqTvf2Rw==; Retain data and using new第 3 步,Settings“利用信息”界面无奈卸载,没有卸载按钮(关上、停用、强行进行三个按钮)
总结:
零碎 apk 产生更新时,零碎顺次发送播送:action: android.intent.action.PACKAGE_REMOVED、action: android.intent.action.PACKAGE_ADDED、action: android.intent.action.PACKAGE_REPLACED
且 intent.getBooleanExtra(Intent.EXTRA_REPLACING, false) 获取的值为 true
Android 监听多用户切换,暗藏和禁用指定 Apk
IntentFilter filter = new IntentFilter();
filter.addAction(Intent.ACTION_USER_SWITCHED);
filter.addAction(Intent.ACTION_USER_ADDED);
BroadcastReceiver mUserSwitchedReceiver = new BroadcastReceiver() {
@Override
public void onReceive(Context context, Intent intent) {final String action = intent.getAction();
final int userId = intent.getIntExtra(Intent.EXTRA_USER_HANDLE, UserHandle.USER_NULL);
if (userId == UserHandle.USER_NULL) {Slog.e("PMSdddd", "received an invalid EXTRA_USER_HANDLE");
return;
}
if (Intent.ACTION_USER_SWITCHED.equals(action) && userId > 0) {Slog.d("PMSdddd", "User switched to userId" + userId);
AsyncTask.execute(new Runnable() {
@Override
public void run() {Slog.d("PMSdddd", "install start11");
Sbbbbbbbbbbb.hideOtherBrandAppWhenUserSwitched();}
});
} else if (Intent.ACTION_USER_ADDED.equals(action) && userId > 0) {Slog.d("PMSdddd", "Added User userId" + userId);
AsyncTask.execute(new Runnable() {
@Override
public void run() {Slog.d("PMSdddd", "install start11");Sbbbbbbbbbbb.hideOtherBrandAppWhenUserSwitched();} }); } } }; mContext.registerReceiver(mUserSwitchedReceiver, filter);是否暗藏和禁用 apk
/**
* only hide app but don't delete user data
*
* @param pkgName
*/
private void hide(String pkgName) {final PackageManager pm = mContext.getPackageManager();
int userId = ActivityManager.getCurrentUser();
pm.setApplicationHiddenSettingAsUser(pkgName, true, new UserHandle(userId));
disableApplication(pkgName);
}
private void unhide(String pkgName) {final PackageManager pm = mContext.getPackageManager();
int userId = ActivityManager.getCurrentUser();
pm.setApplicationHiddenSettingAsUser(pkgName, false, new UserHandle(userId));
enableApplication(pkgName);
}
private void disableApplication(String pkgName) {final PackageManager pm = mContext.getPackageManager();
try {int state = pm.getApplicationEnabledSetting(pkgName);
Slog.d(TAG, "disableApplication state:" + state + "pkgName:" + pkgName);
if (state == PackageManager.COMPONENT_ENABLED_STATE_DISABLED)
return;
pm.setApplicationEnabledSetting(pkgName, PackageManager.COMPONENT_ENABLED_STATE_DISABLED, 0);
} catch (IllegalArgumentException exeption) {Slog.w(TAG, "disableApplication error:" + exeption.getMessage());
}
}
private void enableApplication(String pkgName) {final PackageManager pm = mContext.getPackageManager();
try {int state = pm.getApplicationEnabledSetting(pkgName);
Slog.d(TAG, "enableApplication state:" + state + "pkgName:" + pkgName);
if (state == PackageManager.COMPONENT_ENABLED_STATE_ENABLED)
return;
pm.setApplicationEnabledSetting(pkgName, PackageManager.COMPONENT_ENABLED_STATE_ENABLED, 0);
} catch (IllegalArgumentException exeption) {Slog.w(TAG, "enableApplication error:" + exeption.getMessage());
}
}暗藏的 apk 或 disable 的 apk,信息保留在 /data/system/users/0/package-restrictions.xml 文件内
<pkg name="com.google.android.apps.maps" ceDataInode="4439" enabled="3" enabledCaller="com.android.settings" domainVerificationStatus="2" app-link-generation="4">
<pkg name="com.google.android.apps.maps" ceDataInode="4439" enabled="2" enabledCaller="android" domainVerificationStatus="2" app-link-generation="4"><pkg name="com.amazon.appmanager" ceDataInode="4472" hidden="true" enabled="2" enabledCaller="android" />
<pkg name="com.google.android.apps.maps" ceDataInode="4439" enabled="3" enabledCaller="com.android.settings" domainVerificationStatus="2" app-link-generation="4">apk 被 hide 后,保留的信息:hidden=”true”
apk 被 disable 后,依据 setApplicationEnabledSetting 传入的常量参数不同,enabled= 的值就会不同,如下介绍:
public static final int COMPONENT_ENABLED_STATE_DISABLED = 2; // disable 利用时,若传入此参数,则利用在桌面没有图标,且在设置界面、应用程序列表外面也没有图标(利用齐全暗藏了)public static final int COMPONENT_ENABLED_STATE_DISABLED_USER = 3; // disable 利用时,若传入此参数,则利用在桌面没有图标,然而在设置界面、应用程序列表外面有图标 (只是桌面图标暗藏了,设置外面仍能够看到图标,用户能够再次 enable 此利用)另外:adb shell pm disable-user 利用包名:相当于传入的参数是 COMPONENT_ENABLED_STATE_DISABLED。
查看手机有哪些利用处于 disable 状态的办法:
办法 1:adb shell pm list packages -d
C:\Users\zzz>adb shell pm list packages -d
package:com.facebook.services
package:com.google.android.videos
package:com.facebook.appmanager
办法 2:adb shell pm dump packages > Desktop/log2.txt
enabled=2 —-> 示意利用处于 disable 状态,对应的值:COMPONENT_ENABLED_STATE_DISABLED
Package [com.facebook.appmanager] (a926214):
userId=10098
pkg=Package{9ae0abd com.facebook.appmanager}
codePath=/system/app/appmanager
resourcePath=/system/app/appmanager
legacyNativeLibraryDir=/system/app/appmanager/lib
primaryCpuAbi=arm64-v8a
secondaryCpuAbi=null
versionCode=277606887 minSdk=21 targetSdk=30
versionName=67.3.0
splits=[base]
apkSigningVersion=2
applicationInfo=ApplicationInfo{9ae0abd com.facebook.appmanager}
flags=[SYSTEM HAS_CODE ALLOW_CLEAR_USER_DATA]
privateFlags=[PRIVATE_FLAG_ACTIVITIES_RESIZE_MODE_RESIZEABLE_VIA_SDK_VERSION ALLOW_AUDIO_PLAYBACK_CAPTURE HAS_DOMAIN_URLS PRIVATE_FLAG_ALLOW_NATIVE_HEAP_POINTER_TAGGING]
forceQueryable=false
queriesIntents=[Intent { act=com.facebook.secure.packagefinder.intent.ACTION_QUERY_PACKAGES}]
dataDir=/data/user/0/com.facebook.appmanager
supportsScreens=[small, medium, large, xlarge, resizeable, anyDensity]
timeStamp=2021-07-12 23:30:37
firstInstallTime=2021-07-12 23:30:37
lastUpdateTime=2021-07-12 23:30:37
signatures=PackageSignatures{18e58b2 version:2, signatures:[c4e416cc], past signatures:[]}
installPermissionsFixed=true
pkgFlags=[SYSTEM HAS_CODE ALLOW_CLEAR_USER_DATA]
declared permissions:
com.facebook.appmanager.ACCESS: prot=signature, INSTALLED
com.facebook.appmanager.API_ACCESS: prot=normal, INSTALLED
install permissions:
android.permission.DOWNLOAD_WITHOUT_NOTIFICATION: granted=true
android.permission.FOREGROUND_SERVICE: granted=true
android.permission.RECEIVE_BOOT_COMPLETED: granted=true
android.permission.INTERNET: granted=true
android.permission.GET_PACKAGE_SIZE: granted=true
com.facebook.appmanager.ACCESS: granted=true
android.permission.ACCESS_NETWORK_STATE: granted=true
android.permission.ACCESS_WIFI_STATE: granted=true
android.permission.WAKE_LOCK: granted=true
User 0: ceDataInode=4785 installed=true hidden=false suspended=false distractionFlags=0 stopped=false notLaunched=false enabled=2 instant=false virtual=false
overlay paths:
/product/overlay/NavigationBarModeGestural/NavigationBarModeGesturalOverlay.apk
lastDisabledCaller: android
gids=[3003]查看哪些利用属于零碎签名?
办法:adb shell pm dump packages > Desktop/log2.txt
包名为 ”android” 的 apk 属于平台 apk,必定是零碎签名,首先看一下包名为 ”android” 的 apk 的签名信息:
Package [android] (ad28bfa):
userId=1000
sharedUser=SharedUserSetting{769a3df android.uid.system/1000}
pkg=Package{6103b22 android}
codePath=/system/framework/framework-res.apk
resourcePath=/system/framework/framework-res.apk
legacyNativeLibraryDir=/system/lib64/framework-res
primaryCpuAbi=arm64-v8a
secondaryCpuAbi=null
versionCode=30 minSdk=30 targetSdk=30
versionName=11
splits=[base]
apkSigningVersion=3
applicationInfo=ApplicationInfo{6103b22 android}
flags=[SYSTEM PERSISTENT ALLOW_BACKUP]
privateFlags=[PRIVATE_FLAG_ACTIVITIES_RESIZE_MODE_RESIZEABLE_VIA_SDK_VERSION ALLOW_AUDIO_PLAYBACK_CAPTURE DEFAULT_TO_DEVICE_PROTECTED_STORAGE DIRECT_BOOT_AWARE PRIVILEGED PRIVATE_FLAG_ALLOW_NATIVE_HEAP_POINTER_TAGGING]
forceQueryable=true
queriesPackages=[]
dataDir=/data/system
supportsScreens=[small, medium, large, xlarge, resizeable, anyDensity]
timeStamp=2021-07-12 23:27:41
firstInstallTime=2021-07-12 23:27:41
lastUpdateTime=2021-07-12 23:27:41
signatures=PackageSignatures{539b9b3 version:3, signatures:[a0521abc], past signatures:[]}
installPermissionsFixed=true
pkgFlags=[SYSTEM PERSISTENT ALLOW_BACKUP]
declared permissions:
android.permission.READ_CONTACTS: prot=dangerous, INSTALLED
android.permission.WRITE_CONTACTS: prot=dangerous, INSTALLED
........
User 0: ceDataInode=4316 installed=true hidden=false suspended=false distractionFlags=0 stopped=false notLaunched=false enabled=0 instant=false virtual=false
overlay paths:
/product/overlay/NavigationBarModeGestural/NavigationBarModeGesturalOverlay.apk
从下面信息能够看到,签名信息:signatures:[a0521abc],而后在 log2.txt 文件全局搜寻“a0521abc”,能够列出所有零碎签名的利用。
结语:后续会继续更新哦,喜爱的话点赞关注一下吧。
相干视频
【Android 进阶】APK 的加固优化
正文完