Activity hijacking and anti-hijacking (1)
1. Activity scheduling mechanism
In order to improve user experience, android switches between different applications are basically seamless. They only switch to an activity, so that the activity is displayed on the frontend, And the other application is overwritten on the background, which is invisible. The concept of Activity is equivalent to an interface that interacts with users. Activity scheduling is managed by AmS in the Android system. AmS is the ActivityManagerServiceActivity Management Service. Every application wants to start or stop a process and reports it to AmS First. When receiving a message to start or stop an Activity, AmS First updates the internal record and then notifies the corresponding process to run or stop the specified Activity. When a new Activity is started, the previous Activity stops. All the activities are stored in an Activity history stack in the system. Every time an Activity is started, it is pushed to the top of the history stack and displayed on the mobile phone. When you press the back key, the top Activity pops up and restores the previous Activity. The top of the stack points to the current Activity.
2. Android design defect-Activity hijacking
If a FLAG_ACTIVITY_NEW_TASK is added to an Activity, it can be placed at the top of the stack and immediately presented to the user.
However, such a design has a defect. What if this Activity is a disguised Activity for account theft?
In the Android system, the program can enumerate the processes currently running without declaring other permissions. In this way, we can write a program to start a background service, this service constantly scans the current running process and starts a disguised Activity when it finds that the target process is started. If this Activity is a logon interface, you can obtain the user's account and password.
A service running on the background can achieve the following two points: 1. Determine which activity is running on the foreground 2 and run the activity of your app to the foreground.
In this way, malicious developers can attack the corresponding program. For applications with logon interfaces, they can forge an identical interface, and common users cannot identify whether the interface is true or false. After the user enters the user name and password, the malicious program can quietly upload the user information to the server. This is very dangerous.
Implementation principle:If we register a handler, we will respond to android. intent. action. BOOT_COMPLETED enables start of a service. This service starts a timer and constantly enumerates whether a preset process is started in the current process. If any preset process is found, use FLAG_ACTIVITY_NEW_TASK to start your phishing interface and intercept the logon credential of a normal application.
3. Example
The following is the sample code.
- [html] view plaincopy
-
- <?xml version="1.0" encoding="utf-8"?>
-
- <manifest xmlns:android="http://schemas.android.com/apk/res/android"
-
- package="com.sinaapp.msdxblog.android.activityhijacking"
-
- android:versionCode="1"
-
- android:versionName="1.0" >
-
-
-
- <uses-sdk android:minSdkVersion="4" />
-
-
-
- <uses-permission android:name="android.permission.INTERNET" />
-
- <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
-
-
-
- <application
-
- android:name=".HijackingApplication"
-
- android:icon="@drawable/icon"
-
- android:label="@string/app_name" >
-
- <activity
-
- android:name=".activity.HijackingActivity"
-
- android:theme="@style/transparent"
-
- android:label="@string/app_name" >
-
- <intent-filter>
-
- <action android:name="android.intent.action.MAIN" />
-
-
-
- <category android:name="android.intent.category.LAUNCHER" />
-
- </intent-filter>
-
- </activity>
-
- <activity android:name=".activity.sadstories.JokeActivity" />
-
- <activity android:name=".activity.sadstories.QQStoryActivity" />
-
- <activity android:name=".activity.sadstories.AlipayStoryActivity" />
-
-
-
- <receiver
-
- android:name=".receiver.HijackingReceiver"
-
- android:enabled="true"
-
- android:exported="true" >
-
- <intent-filter>
-
- <action android:name="android.intent.action.BOOT_COMPLETED" />
-
- </intent-filter>
-
- </receiver>
-
-
-
- <service android:name=".service.HijackingService" >
-
- </service>
-
- </application>
-
-
-
- </manifest>
In the above Code, a service is declared to enumerate the currently running processes. If you do not want to start the system, you can even run the code in the earlier version and declare the permission to start the system. <uses-permission android: name = "android. permission. RECEIVE_BOOT_COMPLETED "/> remove, only need to access the network to send out the obtained account password), The AndroidManifest file alone does not see any exception.