Android system root and silent installation

Last Update:2015-05-15 Source: Internet

Author: User

Tags root access

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Android system root and silent installation <blockquote> <blockquote> Silent installation, which refers to installation without any user intervention, directly to the default settings to install the app. because, It does not need user intervention, in many cases become the user does not know, the application unknowingly Installed. is in the promotion of extremely rogue means, very similar to the bundled installation on the PC. Because the silent installation is extremely rogue promotion behavior, so, Its promotion price is extremely high. </blockquote> </blockquote>Android apps are installed in four different ways <table> <thead> <tr> <th align="left">installation Form</th> <th align="left">Completion Method</th> </tr> </thead> <tbody> <tr> <td align="left">System Application Installation</td> <td align="left">Complete the boot, need to join the boot execution script, no installation interface</td> </tr> <tr> <td align="left">Network Download Application Installation</td> <td align="left">Complete with System Market application, no Installation Interface</td> </tr> <tr> <td align="left">Installation in the ADB tool</td> <td align="left">Using the PM install command, there is no installation interface.</td> </tr> <tr> <td align="left">Third-party App Installation</td> <td align="left">Installed via the SD card apk file, There is an installation interface, which is handled by the PACKAGEINSTALLER.APK application to handle the installation and uninstallation Process.</td> </tr> </tbody> </table>Process and path for application installation <table> <thead> <tr> <th align="left">Catalogue</th> <th align="left">Key Features</th> </tr> </thead> <tbody> <tr> <td align="left">/system/app</td> <td align="left">The system comes with the application to store, the root permission can change</td> </tr> <tr> <td align="left">/data/app</td> <td align="left">User program installs the directory, has the delete Permission. Copy the apk file to this directory during installation</td> </tr> <tr> <td align="left">/data/data</td> <td align="left">Store data for your application</td> </tr> <tr> <td align="left">Data/dalvik-cache</td> <td align="left">Install the Dex file in the APK into the Dalvik-cache directory</td> </tr> </tbody> </table>installation Process Copy the APK installation package into the Data/app directory, unzip and scan the installation package, save the Dex file (dalvik Bytecode) to the Dalvik-cache directory, and create the corresponding application Data directory in the Data/data directory.Uninstallation Process Delete the files and directories created in the above three directories during the installation Process.Permission declarations <blockquote> <blockquote> Google's security policy requires that any app should prompt the APK installation package at the time of installation confirmation, confirming the Developer's rights in Androidmanafest.xml. Of course, Google has also done some things on android, allowing some of the system's internal apps to be installed without an authorized Interface. And the system into the installation interface is actually based on this intent jump to the Packageinstaller application to complete the prompt and installation of permissions. </blockquote> </blockquote>Here we write the code piece ' We control the app app in the app, actually sending a intent as Follows. To call Packageinstaller for installation, The specific operation code is as Follows:<pre class="prettyprint"><pre class="prettyprint"><code class=" hljs avrasm">/* 安装apk */Intent intent = new Intent();intent.setAction(Intent.ACTION_VIEW);intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);intent.setDataAndType(Uri.parse("file://"+ fileName)， "application/vnd.android.package-archive");context.startActivity(intent);</code></pre></pre>In contrast to the normal installation process, the essence of a silent installation is to remove the process that the user authorizes to install as shown, and install the application directly.SOURCE AnalysisAfter reading the source code we know that the system installation process is actually called the system Packageinstaller to Complete. If you want to install silently, find a way to bypass the permission-granting prompts in Packageinstaller and continue with the installation steps. so, The idea is very simple, we can operate from two aspects: <ul> <ul> <li>Find the Packageinstaller source code, skip permission to grant reminders, directly call the following installation API to complete the Installation. (this allows good compatibility with normal installation, not easy to Error)</li> <li>Install using the PM install Command.</li> </ul> </ul>Calling the hidden API in Packageinstaller <blockquote> <blockquote> View Packageinstaller Source Code We can find that, in fact, Packageinstaller is also installed by using Packagemanager. Called is its installpackage method, but this method is an abstract, and is not visible to the outside (hide), </blockquote> </blockquote>The definition is as Follows:<pre class="prettyprint"><pre class="prettyprint"><code class="hljs java">public abstractclass Packagemanager {..... /** * Install app apk file * @param Packageuri The location of the apk file to be installed, can be ' File: ' or ' content: ' URI. * @param Observer an APK file installation Status Viewer * @param Flags installation form install_forward_lock, install_replace_existing, Install_allow_test. * @paraminstallerPackageName APK installation package PackageName */ //@SystemApi public abstract void installpackage (uripackageuri, packageinstallobserverobserver,int flags, stringinstallerpackagename);} </code> </pre></pre>and Packagemanager and InstallPackage both are abstract abstractions. Its implementation is in applicationpackagemanager, and its implementation in InstallPackage Is:<pre class="prettyprint"><pre class="prettyprint"><code class=" hljs java">final classApplicationPackageManager extends PackageManager { ...... ApplicationPackageManager(ContextImpl context， IPackageManager pm) { mContext = context; mPM = pm; } @Override publicvoidinstallPackage(Uri packageURI， IPackageInstallObserver observer，intflags， String installerPackageName){ try { mPM.installPackage(packageURI， observer， flags， installerPackageName); catch (RemoteException e) { // Should never happen! } }}</code></pre></pre>The InstallPackage method for the visible call is the InstallPackage method in Ipackagemanager. In Contextimpl by invoking the Activitythread.getpackagemanager () Gets the Ipackagemanager instance Object. In the Activitythread.getpackagemanager () method, the service named package in Systemservice is called to Instantiate. The code is as Follows:<pre class="prettyprint"><pre class="prettyprint"><code class=" hljs cs">staticIPackageManager sPackageManager;publicgetPackageManager() { ifnull) { return sPackageManager; } IBinder b = ServiceManager.getService("package"); sPackageManager = IPackageManager.Stub.asInterface(b); return sPackageManager;}</code></pre></pre>Because InstallPackage is the System's api, in order to use Packagemanagerservice.installpackage (), consider using the reflection mechanism to invoke InstallPackage ().But what is hard to get is the type of ipackageinstallobserver in its argument, and we look at Ipackageinstallobserver and find that ipackageinstallobserver is defined by the Aidl file. This too can not fail us, through the characteristics of the Aidl file, Copy the Ipackageinstallobserver.aidl file into the local program, you can get the class ipackageinstallobserver.calss, which reflects the InstallPackage () method.however, when invoke calls the method, it cannot get the instance object of Ipackageinstallobserver. The instance object of Ipackageinstallobserver must be obtained by means of IPackageInstallObserver.Stub.asInterface (binder binder) and cannot get the binder object it binds to. therefore, the reflected method cannot be Executed.second, It should be the system API that declares the right to install the app: android.permission.INSTALL_PACKAGES. This kind of more sensitive permission was not said to be given by the claims system, but also required that our installation package APK file had the same signature as the system in order to complete the silent installation Operation. The silent installation of this method is unrealistic for widespread application.Installing using the PM command <blockquote> <blockquote> The PM command is an android Packagemanage command line that is used to install the package Operation. And the system is mainly to provide us in ADB The PM command is used in the shell, so the PM command also exists under the "/system" directory, and of course, the application with the root authority can use it for silent Installation. </blockquote> </blockquote>The specific operation code is as Follows:<pre class="prettyprint"><code class=" hljs cs"><code class="hljs cs">//xxx.apk placed in the root directory of the built-in storage execcommand ( "system/bin/pminstall-r" + "sdcard/xxx.apk" ); span class= "hljs-comment" >//execute command public Booleanexeccommand (String cmd) {process process = null ; try {process = runtime.getruntime (). exec (cmd); Process.waitfor (); } catch (Exception e) {return false ; } finally {try {process.destroy (); } catch (Exception e) {}} return Span class= "hljs-keyword" >true ;} </code></code></pre> <blockquote> <blockquote> PM Command Source Directory: /frameworks/base/cmds/pm/src/com/android/commands/pm/pm.java, </blockquote> </blockquote>We look at its source code, as Follows:<pre class="prettyprint"><code class=" hljs java"> publicFinalclass Pm {ipackagemanager mPm; Iusermanager mUm;Privateweakhashmap<string, resources> Mresourcecache =Newweakhashmap<string, resources> ();Privatestring[] margs;Private intmnextarg;PrivateString mcurargdata;Private Static FinalString Pm_not_running_err ="error:could not access Thepackage Manager. Is the systemrunning? "; public Static void Main(string[] Args) {NewPm (). Run (args); }/** * Parse Command parameters * @param args parameter */ public void Run(string[] Args) {BooleanValidcommand =false;if(args.length <1) {showusage ();return; } mUm =iusermanager.stub.asinterface (servicemanager.getservice ("user")); MPm =ipackagemanager.stub.asinterface (servicemanager.getservice ("package"));if(mPm = =NULL) {System.err.println (pm_not_running_err);return; } ......if("install". equals (op)) {runinstall ();return; } ...... }/** * Start Installation * / Private void Runinstall() { ......specific calls to//installation logicPackageinstallobserver Obs = Newpackageinstallobserver ();Try{verificationparamsverificationparams =NewVerificationparams (verificationuri, originatinguri, referreruri, verificationparams.no_uid,NULL); Mpm.installpackagewithverificationandencryption (apkuri, obs, installflags, installerpackagename, Verifi cationparams, encryptionparams);synchronized(obs) { while(!obs.finished) {Try{obs.wait (); }Catch(interruptedexception E) { } }if(obs.result ==packagemanager.install_succeeded) {System.out.println ("Success"); }Else{System.err.println ("failure["+installfailuretostring (obs.result) +"]"); } } }Catch(remoteexception E) {System.err.println (e.tostring ()); System.err.println (pm_not_running_err); } } ......}</code></pre>found that the PM command is also called the installation method in packagemanager, but is a verification and encryption method installpackagewithverificationandencryption to Install. That is, its installation process is the same as the Packageinstaller.While we install the app app, can be its own APK installation package files stored in two places "data/app" and "system/app", silent installation of the general situation is to choose to push their own apk file into the "system/app" directory, Because this directory is the system application directory, in this directory of malicious applications, to steal text messages, steal messages and other operations, users are very difficult to detect.Remove preinstalled <blockquote> <blockquote> The main purpose of most ordinary user root phones is to remove pre-installed applications and to remove them, we first need to know what is preinstalled and where they are stored. Or let's change our mind to see where the system manufacturer stores the App's apk file to become a system Application. </blockquote> </blockquote>1. The system default general application storage placeAndroid bundled application software is basically installed under the "/system/app" folder, Delete the corresponding third-party software apk file below to perfect Uninstall. We know that "/system" is the directory of the system, the operation of this directory requires root access, so we delete the pre-installed application requires the root Phone. Each system program is basically paired, and the corresponding delete suffix is. apk and. Odex (optimized dex file) files to remove preinstalled Apps.For example, use root Explorer to view the "/system/app" directory. You can see all of the System's built-in applications in the System. 2. Modifying the pre-installed system boot <blockquote> <blockquote> It is very common to store the apk file in the "/system/app" directory, which leads to the easy uninstallation of the preinstalled Application. Malicious phone ROM will think of a more disgusting way to retain preinstalled applications, such as modifying the logic of the system rom, so that the system at boot time to detect the integrity of their pre-installed and then Reinstall. well, of course, the installation files for preinstalled applications will also be saved in one copy. </blockquote> </blockquote>This type of pre-installed application, also known as "boot silent installation", The common way is to modify the init.rc, add a boot execution script, in the script call a service using the PM install command to install the application in Bulk. For example, from the top of one init.local.rc content is as Follows:<pre class="prettyprint"><pre class="prettyprint"><code class=" hljs avrasm">#Preinstallonproperty:dev.bootcomplete=1 start loadpreinstallsserviceloadpreinstalls /system/bin/logwrapper /system/bin/loadpreinstalls.sh disabled oneshot</code></pre></pre>In the System's init.rc script, call init.local.rc as Follows:<pre class="prettyprint"><code class=" hljs bash">#在sysinit前面加# Include Extrainit fileImport/system/etc/init.local.rc and specific pre-installed scripts exist/system/bin/loadpreinstalls.sh# do preinstall Jobif[ !- e/data/.notfirstrun] thenEcho "dopreinstall sys">>/system/log.txt#安装 all apk files Under/system/preinstallApklist= ' ls/system/preinstall/*.apk ' forInfilesinch $APKLIST do EchoSetup Package:$INFILESPM INSTALL-R$INFILES doneEcho "dopreinstall sd">>/system/log.txt#安装 all apk files Under/sdcard/preinstallApklist= ' ls/sdcard/preinstall/*.apk ' forInfilesinch $APKLIST do EchoSetup Package:$INFILESPM INSTALL-R$INFILES done Echo "do Preinstall ok">>/system/log.txt BusyBox Touch/data/.notfirstrunfiEcho "============================================">>/system/log.txtExit</code></pre>This way do pre-installed users after the use of root Deleted/system/app installed applications under the system restart will be executed after the startup script automatically reload the application back, and pre-installed apk file storage directory according to different system ROM is not the same, is extremely rogue promotion strategy. Of course, we have seen through the analysis, if you want to delete this type of pre-installed applications, only need to scan the entire APK file and then Delete./* * @author Zhoushengtao (Zhou San) * @since January 27, 2015 14:02:22 * @weixin stchou_zst * @blog http://blog.csdn.net/yzzst * @ Exchange Learning QQ group: 341989536 * @ Private qq:445914891 / Android system root and silent installation

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More