Activity component security (bottom): activity component

Activity component security (bottom): activity component
What is Activity hijacking?

Simply put, the normal Activity interface of the APP is replaced by a malicious attacker with a counterfeit malicious Activity interface for attack and illegal use. Interface hijacking attacks are often difficult to identify. The consequences not only bring serious losses to users, but also the nightmare of mobile application developers. For example, when a user opens an app on an Android phone and enters the login page, malware detects the user's action, immediately pop up an Activity that is the same as the application interface and overwrites the valid Activity, which is almost imperceptible to the user, next, the user enters the user name and password on the Activity of malware. What will happen in the end can be imagined.

Causes of Activity interface hijacking

Many netizens found that if a FLAG_ACTIVITY_NEW_TASK is added to an Activity, it can be placed on the top of the stack and immediately presented to the user. For this operation, what if this Activity is a disguised Activity for account theft? In the Android system, the program can enumerate the processes currently running without declaring other permissions. In this way, we can write a program to start a background service, this service constantly scans the currently running process and starts a disguised Activity when it finds that the target process is started. If this Activity is a logon interface, you can obtain the user's account and password.

Common attack methods

• Listen to the system's Logocat logs. Once the system detects Activity interface switching, attacks are initiated to overwrite the fake Activity interface for spoofing. Developers generally know that the system's Logcat logs are printed by ActivityManagerService to log files containing interface information. malicious programs obtain this information through Logocat, this monitors client startup and Activity interface switching.

• Listen to system APIs. Once a malicious program listens to API components on the relevant interface, it can initiate an attack.

• Reverse APK: Malicious attackers can decompile and reverse analyze the APK to understand the business logic of the application and then perform targeted Activity interface hijacking attacks.

Instances of wooyun Vulnerability Report for known security issues of Activity components

Android uses a floating window to hijack a phishing account

Construction Bank android client design logic defects cause users to be phishing

How Should R & D personnel Prevent Users

The Android mobile phone has a HOME key (that is, the icon of the Small House). You can press it to view recent tasks. When you need to enter a password to log on, you can press the HOME Key to view recent tasks. For example, you can press the logon duration to find that recent tasks have occurred, so my current logon interface is very likely to be a malicious disguised Activity, switch to another program, and then check the recent task to know which program the logon interface comes from.

For developers

The common practice of developers is to check whether the front-end Activity application is itself or a system application in the onPause method of key activities such as logon window or user privacy input. If malicious risks are discovered, then, the user is given some warning information, prompting the user to log on to the interface to be overwritten, and providing the class name that overwrites the normal Activity.

The following code provides a common activity interface hijacking prevention measure for developers:

First, rewrite the onKeyDown method and onPause method in the previous normal logon Activity interface. In this way, when the method is overwritten, an alert message is displayed. The Code is as follows:

1 @ Override 2 public boolean onKeyDown (int keyCode, KeyEvent event) {3 // determines whether the program enters the background is caused by the user (touch the return key or HOME Key ), yes, no alert is required. 4 if (keyCode = KeyEvent. KEYCODE_BACK | keyCode = KeyEvent. KEYCODE_HOME) & event. getRepeatCount () = 0) {5 needAlarm = false; 6} 7 return super. onKeyDown (keyCode, event); 8} 9 10 @ Override11 protected void onPause () {12 // if the program enters the background is not caused by the user, you need to pop up the warning 13 if (needAlarm) {14 // pop up the warning information 15 Toast. makeText (getApplicationContext (), "Your logon interface is overwritten. Check whether the logon environment is secure.", Toast. LENGTH_SHORT ). show (); 16 // start our AlarmService to provide class name 17 Intent intent = new Intent (this, AlarmService. class); 18 startService (intent); 19} 20 super. onPause (); 21}

Then implement AlarmService. java and register it in AndroidManifest. xml.

1 import android. app. activityManager; 2 import android. app. service; 3 import android. content. context; 4 import android. content. intent; 5 import android. OS. handler; 6 import android. OS. IBinder; 7 import android. widget. toast; 8 9 public class AlarmService extends Service {10 11 boolean isStart = false; 12 Handler handler = new Handler (); 13 14 Runnable alarmRunnable = new Runnable () {15 @ Override16 publ Ic void run () {17 // get ActivityManager18 ActivityManager activityManager = (ActivityManager) getSystemService (Context. ACTIVITY_SERVICE); 19 // getRunningTasks returns a List, and the List size is equal to the input parameter. 20 // get (0) gets the first element in the List, that is, task21 ActivityManager at the top of the stack. runningTaskInfo info = activityManager. getRunningTasks (1 ). get (0); 22 // obtain the class name at the top of the current stack. You can also obtain the complete Class Name and package name 23 String character classname = info as required. topActivity. getaskclassname (); // class name 24 // full class name 25 // String className = info. topActivity. getClassName (); 26 // package name 27 // String packageName = info. topActivity. getPackageName (); 28 Toast. makeText (getApplicationContext (), "the currently running The program is "+ keystore classname, Toast. LENGTH_LONG ). show (); 29} 30}; 31 @ Override32 public int onStartCommand (Intent intent, int flag, int startId) {33 super. onStartCommand (intent, flag, startId); 34 if (! IsStart) {35 isStart = true; 36 // start alarmRunnable37 handler. postDelayed (alarmRunnable, 1000); 38 stopSelf (); 39} 40 return START_STICKY; 41} 42 @ Override43 public IBinder onBind (Intent intent) {44 return null; 45} 46}