前言
置信最近在App上架利用商店的同学都感触到了,国内对用户的隐衷越来越器重,如MAC地址,设施ID,IMEI信息等,要么就罗唆不必,要么就必须很显著的通知用户想要获取这些信息,相干法律及规定,参考《网络安全法》及《对于发展APP侵害用户权利专项整治工作的告诉》
单刀直入
废话不多说,找了几个反编译工具,并简略看了下应用办法,最终锁定androguard,官网解释:对Android应用程序的逆向工程、恶意软件和恶意软件剖析,它提供了一系列的Apk以及dex、odex、arsc等文件的剖析解决性能,能够轻松的帮忙咱们找到调用零碎权限的中央。且python脚本执行,几乎不能再好用了
环境
python
https://www.python.orgpycharm
https://www.jetbrains.com/pycharm/download/androguard
https://androguard.readthedocs.io/en/latest/装置
pip install -U androguard如果想在命令行间接操作,请在装置完后执行如下:
androguard analyze执行后如图:
而后再加载apk,在下面执行后,输出如下:a, d, dx = AnalyzeAPK("examples/android/abcore/app-prod-debug.apk")apk加载实现后就能够调用相干api来获取信息
获取权限
In [2]: a.get_permissions()Out[2]:['android.permission.INTERNET', 'android.permission.WRITE_EXTERNAL_STORAGE', 'android.permission.ACCESS_WIFI_STATE', 'android.permission.ACCESS_NETWORK_STATE']获取Activity
In [3]: a.get_activities()Out[3]:['com.greenaddress.abcore.MainActivity', 'com.greenaddress.abcore.BitcoinConfEditActivity', 'com.greenaddress.abcore.AboutActivity', 'com.greenaddress.abcore.SettingsActivity', 'com.greenaddress.abcore.DownloadSettingsActivity', 'com.greenaddress.abcore.PeerActivity', 'com.greenaddress.abcore.ProgressActivity', 'com.greenaddress.abcore.LogActivity', 'com.greenaddress.abcore.ConsoleActivity', 'com.greenaddress.abcore.DownloadActivity']其余
# 包名In [4]: a.get_package()Out[4]: 'com.greenaddress.abcore'# app名字In [5]: a.get_app_name()Out[5]: u'ABCore'# logoIn [6]: a.get_app_icon()Out[6]: u'res/mipmap-xxxhdpi-v4/ic_launcher.png'# 版本号In [7]: a.get_androidversion_code()Out[7]: '2162'# 版本名In [8]: a.get_androidversion_name()Out[8]: '0.62'# 最低sdk反对In [9]: a.get_min_sdk_version()Out[9]: '21'# 最高In [10]: a.get_max_sdk_version()# 指标版本In [11]: a.get_target_sdk_version()Out[11]: '27'# 获取无效指标版本In [12]: a.get_effective_target_sdk_version()Out[12]: 27# manifest文件In [13]: a.get_android_manifest_xml()Out[13]: <Element manifest at 0x7f9d01587b00>等等吧,Api切实是太多了,还是关注官网文档吧,只有你想不到,没有它没有的,如下链接:
https://androguard.readthedocs.io/en/latest/intro/gettingstarted.html#using-the-analysis-object更多demo
https://github.com/androguard/androguard/tree/master/examples上面间接开始实际。
检索应用敏感权限的中央并输入文件
上面就是查看APK中应用敏感权限的实现,请看:
import osimport sys# 引入androguard的门路,依据集体寄存的地位而定androguard_module_path = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'androguard')if not androguard_module_path in sys.path: sys.path.append(androguard_module_path)from androguard.misc import AnalyzeAPKfrom androguard.core.androconf import load_api_specific_resource_modulepath = r"/apk"out_path = r"/out"files = []path_list = os.listdir(path)path_list.sort()for name in path_list: if os.path.isfile(os.path.join(path, name)): files.append(name)def main(): for apkFile in files: file_name = os.path.splitext(apkFile)[0] print(apkFile) out = AnalyzeAPK(path + '/' + apkFile) # apk object 形象apk对象,能够获取apk的一些信息,如版本号、包名、Activity等 a = out[0] # DalvikVMFormat 数组,一个元素其实对应的是class.dex,能够从DEX文件中获取类、办法或字符串。 d = out[1] # Analysis 剖析对象,因为它蕴含非凡的类,这些类链接无关classes.dex的信息,甚至能够一次解决许多dex文件,所以上面咱们从这外面来剖析整个apk dx = out[2] # api和权限映射 # 输入文件门路 api_perm_filename = os.path.join(out_path, file_name + "_api-perm.txt") api_perm_file = open(api_perm_filename, 'w', encoding='utf-8') # 权限映射map permissionMap = load_api_specific_resource_module('api_permission_mappings') # 遍历apk所有办法 for meth_analysis in dx.get_methods(): meth = meth_analysis.get_method() # 获取类名、办法名 name = meth.get_class_name() + "-" + meth.get_name() + "-" + str( meth.get_descriptor()) for k, v in permissionMap.items(): # 匹配零碎权限办法,匹配上就输入到文件中 if name == k: result = str(meth) + ' : ' + str(v) api_perm_file.write(result + '\n') api_perm_file.close()if __name__ == '__main__': main()输入后果
Landroid/app/Activity;->navigateUpTo(Landroid/content/Intent;)Z : ['android.permission.BROADCAST_STICKY']Landroid/app/Activity;->onMenuItemSelected(I Landroid/view/MenuItem;)Z : ['android.permission.BROADCAST_STICKY']Landroid/app/Activity;->setRequestedOrientation(I)V : ['android.permission.BROADCAST_STICKY']Landroid/app/Activity;->unregisterReceiver(Landroid/content/BroadcastReceiver;)V : ['android.permission.BROADCAST_STICKY']Landroid/os/PowerManager$WakeLock;->acquire(J)V : ['android.permission.WAKE_LOCK']Landroid/os/PowerManager$WakeLock;->release()V : ['android.permission.WAKE_LOCK']Landroid/location/LocationManager;->isProviderEnabled(Ljava/lang/String;)Z : ['android.permission.ACCESS_COARSE_LOCATION', 'android.permission.ACCESS_FINE_LOCATION']Landroid/location/LocationManager;->getLastKnownLocation(Ljava/lang/String;)Landroid/location/Location; : ['android.permission.ACCESS_COARSE_LOCATION', 'android.permission.ACCESS_FINE_LOCATION']Landroid/app/ActivityManager;->getRunningTasks(I)Ljava/util/List; : ['android.permission.GET_TASKS']Landroid/accounts/AccountManager;->invalidateAuthToken(Ljava/lang/String; Ljava/lang/String;)V : ['android.permission.MANAGE_ACCOUNTS', 'android.permission.USE_CREDENTIALS']Landroid/net/ConnectivityManager;->getNetworkInfo(I)Landroid/net/NetworkInfo; : ['android.permission.ACCESS_NETWORK_STATE']Landroid/net/ConnectivityManager;->isActiveNetworkMetered()Z : ['android.permission.ACCESS_NETWORK_STATE']Landroid/net/ConnectivityManager;->getActiveNetworkInfo()Landroid/net/NetworkInfo; : ['android.permission.ACCESS_NETWORK_STATE']Landroid/telephony/TelephonyManager;->getDeviceId()Ljava/lang/String; : ['android.permission.READ_PHONE_STATE']Landroid/telephony/TelephonyManager;->getSubscriberId()Ljava/lang/String; : ['android.permission.READ_PHONE_STATE']Landroid/telephony/TelephonyManager;->getSimSerialNumber()Ljava/lang/String; : ['android.permission.READ_PHONE_STATE']输入的零碎类、调用办法、须要的权限。
检索某零碎办法被调用的中央并打印
import osimport sys# 引入androguard的门路,依据集体寄存的地位而定androguard_module_path = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'androguard')if not androguard_module_path in sys.path: sys.path.append(androguard_module_path)from androguard.misc import AnalyzeAPKfrom androguard.core.androconf import load_api_specific_resource_modulepath = r"/apk"out_path = r"/out"files = []path_list = os.listdir(path)path_list.sort()for name in path_list: if os.path.isfile(os.path.join(path, name)): files.append(name)def main(): for apkFile in files: file_name = os.path.splitext(apkFile)[0] print(apkFile) out = AnalyzeAPK(path + '/' + apkFile) a = out[0] d = out[1] dx = out[2] for meth in dx.classes['Ljava/io/File;'].get_methods(): print("usage of method {}".format(meth.name)) # 拿到改函数的援用函数 for _, call, _ in meth.get_xref_from(): print(" called by -> {} -- {}".format(call.class_name, call.name))if __name__ == '__main__': main()输入后果
usage of method getPath called by -> Landroid/support/v4/util/AtomicFile; -- <init>usage of method <init> called by -> Landroid/support/v4/util/AtomicFile; -- <init>usage of method delete called by -> Landroid/support/v4/util/AtomicFile; -- failWrite called by -> Landroid/support/v4/util/AtomicFile; -- delete called by -> Landroid/support/v4/util/AtomicFile; -- delete called by -> Landroid/support/v4/util/AtomicFile; -- startWrite called by -> Landroid/support/v4/util/AtomicFile; -- openRead called by -> Landroid/support/v4/util/AtomicFile; -- finishWriteusage of method renameTo called by -> Landroid/support/v4/util/AtomicFile; -- openRead called by -> Landroid/support/v4/util/AtomicFile; -- failWrite called by -> Landroid/support/v4/util/AtomicFile; -- startWriteusage of method exists called by -> Landroid/support/v4/util/AtomicFile; -- startWrite called by -> Landroid/support/v4/util/AtomicFile; -- openRead called by -> Landroid/support/v4/util/AtomicFile; -- startWriteusage of method getParentFile called by -> Landroid/support/v4/util/AtomicFile; -- startWriteusage of method mkdir called by -> Landroid/support/v4/util/AtomicFile; -- startWrite- ‘Ljava/io/File;’ 须要检测的类
- meth.get_xref_from() 那该类中函数被援用的中央
你也能够本人搞个数组,配置好要查看的相干函数,而后在下面代码中退出if过滤即可
如果你想找Android零碎定位,被利用哪些办法调用,你就能够这样做:dx.classes['Landroid/location/LocationManager;']再运行一遍脚本就能够看到后果了。
完结
写这篇博客,次要目标是为了让更多人晓得这个货色吧,我本人去搜寻文章的时候发现并没有多少能够参考的,导致很多人无从下手,但其实官网文档也很具体,然而英文的,看起来也不不便,也心愿这篇简短的文章给你提供帮忙,如果有问题请再分割我或留言评论
欢送关注新网站
- http://jetpack.net.cn