Android Accessibility (Auxiliary Function) security issues, android auxiliary functions

Source: Internet
Author: User

Android Accessibility (Auxiliary Function) security issues, android auxiliary functions

Android provides the Accessibility function and service to help users who are unable to conveniently use Android smartphones due to visual acuity, hearing, or other physical causes, including text-to-speech, tactile feedback, gesture operations, trackball and handle operations. Developers can build their own Accessibility services to enhance availability, such as sound prompts, physical feedback, and other optional operation modes.

As the Android version continues to upgrade, the Accessibility function of Android is becoming more and more powerful. Before Android 4.0, the system's auxiliary service functions were relatively simple and only one-way window element information can be obtained, for example, obtain the user input content in the input box. After Android 4.1, the system auxiliary service has added two-way interaction with window elements. In this case, you can use the auxiliary function service to operate window elements, such as clicking a button.

As the system auxiliary service can obtain the window element information of your current application in real time, this may bring you the risk of privacy information leakage, such as obtaining the input content of a non-password input box. At the same time, the auxiliary function can simulate the user's automatic click on the elements in the application, which also brings certain security risks.


This article provides a function to automatically install, uninstall, and forcibly stop an application through the system auxiliary service.


1. Configure the self-implemented MyAccessibilityService in the AndroidManifest. xml file.

<?xml version="1.0" encoding="utf-8"?><manifest xmlns:android="http://schemas.android.com/apk/res/android"    package="com.jack.accessibility"    android:versionCode="1"    android:versionName="1.0" >    <uses-sdk        android:minSdkVersion="8"        android:targetSdkVersion="18" />    <uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW" />    <uses-permission android:name="android.permission.BIND_ACCESSIBILITY_SERVICE" />    <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>    <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/>        <application        android:allowBackup="true"        android:icon="@drawable/ic_launcher"        android:label="@string/app_name"        android:theme="@style/AppTheme" >        <activity            android:name="com.jack.accessibility.MainActivity"            android:label="@string/app_name" >            <intent-filter>                <action android:name="android.intent.action.MAIN" />                <category android:name="android.intent.category.LAUNCHER" />            </intent-filter>        </activity>        <service android:label="@string/acc_service_name" android:name=".MyAccessibilityService" android:permission="android.permission.BIND_ACCESSIBILITY_SERVICE">            <intent-filter>                <action android:name="android.accessibilityservice.AccessibilityService" />            </intent-filter>            <meta-data android:name="android.accessibilityservice" android:resource="@xml/phone_accessibility" />        </service>    </application></manifest>

2. Configure parameters in res/xml/phone_accessibility.xml.

<?xml version="1.0" encoding="utf-8"?><accessibility-service android:description="@string/accessibility_service_description"     android:accessibilityEventTypes="typeAllMask"      android:accessibilityFeedbackType="feedbackGeneric"      android:notificationTimeout="100"      android:accessibilityFlags=""      android:canRetrieveWindowContent="true"  xmlns:android="http://schemas.android.com/apk/res/android" />

3. Launch the installation, uninstallation, and forced stop actions of MainActivity.

package com.jack.accessibility;import java.io.File;import java.io.FileOutputStream;import java.io.IOException;import java.io.InputStream;import android.net.Uri;import android.os.Bundle;import android.os.Environment;import android.provider.Settings;import android.view.View;import android.app.Activity;import android.content.Intent;public class MainActivity extends Activity {    @Overrideprotected void onCreate(Bundle savedInstanceState) {super.onCreate(savedInstanceState);setContentView(R.layout.activity_main);this.findViewById(R.id.activeButton).setOnClickListener(new View.OnClickListener() {@Overridepublic void onClick(View arg0) {// TODO Auto-generated method stubIntent killIntent = new Intent(Settings.ACTION_ACCESSIBILITY_SETTINGS);startActivity(killIntent);}});this.findViewById(R.id.installButton).setOnClickListener(new View.OnClickListener() {@Overridepublic void onClick(View arg0) {// TODO Auto-generated method stubMyAccessibilityService.INVOKE_TYPE = MyAccessibilityService.TYPE_INSTALL_APP;String fileName = Environment.getExternalStorageDirectory() + "/test.apk"; File installFile = new File(fileName);if(installFile.exists()){installFile.delete();}try {installFile.createNewFile();FileOutputStream out = new FileOutputStream(installFile);byte[] buffer = new byte[512];InputStream in = MainActivity.this.getAssets().open("test.apk");int count;while((count= in.read(buffer))!=-1){out.write(buffer, 0, count);}in.close();out.close();} catch (IOException e) {// TODO Auto-generated catch blocke.printStackTrace();}Intent intent = new Intent(Intent.ACTION_VIEW); intent.setDataAndType(Uri.fromFile(new File(fileName)), "application/vnd.android.package-archive"); startActivity(intent);}});this.findViewById(R.id.uninstallButton).setOnClickListener(new View.OnClickListener() {@Overridepublic void onClick(View arg0) {// TODO Auto-generated method stubMyAccessibilityService.INVOKE_TYPE = MyAccessibilityService.TYPE_UNINSTALL_APP;Uri packageURI = Uri.parse("package:com.example.test"); Intent uninstallIntent = new Intent(Intent.ACTION_DELETE, packageURI); startActivity(uninstallIntent); }});this.findViewById(R.id.killAppButton).setOnClickListener(new View.OnClickListener() {@Overridepublic void onClick(View arg0) {// TODO Auto-generated method stubMyAccessibilityService.INVOKE_TYPE = MyAccessibilityService.TYPE_KILL_APP;Intent killIntent = new Intent(Settings.ACTION_APPLICATION_DETAILS_SETTINGS);Uri packageURI = Uri.parse("package:com.example.test"); killIntent.setData(packageURI);startActivity(killIntent);}});}}


4. In MyAccessibilityService, the application installation, uninstallation, and forced stop functions are achieved through automatic clicking.

Package com. jack. accessibility; import java. util. list; import android. accessibilityservice. accessibilityService; import android. annotation. suppressLint; import android. util. log; import android. view. keyEvent; import android. view. accessibility. accessibilityEvent; import android. view. accessibility. accessibilityNodeInfo; @ SuppressLint ("NewApi") public class MyAccessibilityService extends AccessibilityService {p Ublic static int INVOKE_TYPE = 0; public static final int TYPE_KILL_APP = 1; public static final int TYPE_INSTALL_APP = 2; public static final int TYPE_UNINSTALL_APP = 3; public static void reset () {INVOKE_TYPE = 0 ;}@ Overridepublic void onAccessibilityEvent (AccessibilityEvent event) {// TODO Auto-generated method stubthis. processAccessibilityEnvent (event);} private void processAccessibilityEnvent (Access IbilityEvent) {Log. d ("test", event. eventTypeToString (event. getEventType (); if (event. getSource () = null) {Log. d ("test", "the source = null");} else {Log. d ("test", "event =" + event. toString (); switch (INVOKE_TYPE) {case TYPE_KILL_APP: processKillApplication (event); break; case TYPE_INSTALL_APP: processinstallApplication (event); break; case TYPE_UNINSTALL_APP: processUninstallApplication (event); B Reak; default: break ;}}@ Overrideprotected boolean onKeyEvent (KeyEvent event) {// TODO Auto-generated method stubreturn true;} @ Overridepublic void onInterrupt () {// TODO Auto-generated method stub} private void processUninstallApplication (AccessibilityEvent event) {if (event. getSource ()! = Null) {if (event. getPackageName (). equals ("com. android. packageinstaller ") {List <AccessibilityNodeInfo> OK _nodes = event. getSource (). findAccessibilityNodeInfosByText ("OK"); if (OK _nodes! = Null &&! OK _nodes.isEmpty () {AccessibilityNodeInfo node; for (int I = 0; I <OK _nodes.size (); I ++) {node = OK _nodes.get (I); if (node. getClassName (). equals ("android. widget. button ") & node. isEnabled () {node. encryption maction (AccessibilityNodeInfo. ACTION_CLICK) ;}}}}} private void processinstallApplication (AccessibilityEvent event) {if (event. getSource ()! = Null) {if (event. getPackageName (). equals ("com. android. packageinstaller ") {List <AccessibilityNodeInfo> unintall_nodes = event. getSource (). findAccessibilityNodeInfosByText ("Install"); if (unintall_nodes! = Null &&! Unintall_nodes.isEmpty () {AccessibilityNodeInfo node; for (int I = 0; I <unintall_nodes.size (); I ++) {node = unintall_nodes.get (I); if (node. getClassName (). equals ("android. widget. button ") & node. isEnabled () {node. encryption maction (AccessibilityNodeInfo. ACTION_CLICK) ;}}list <AccessibilityNodeInfo> next_nodes = event. getSource (). findAccessibilityNodeInfosByText ("Next"); if (next_nodes! = Null &&! Next_nodes.isEmpty () {AccessibilityNodeInfo node; for (int I = 0; I <next_nodes.size (); I ++) {node = next_nodes.get (I); if (node. getClassName (). equals ("android. widget. button ") & node. isEnabled () {node. encryption maction (AccessibilityNodeInfo. ACTION_CLICK) ;}}list <AccessibilityNodeInfo> OK _nodes = event. getSource (). findAccessibilityNodeInfosByText ("open"); if (OK _nodes! = Null &&! OK _nodes.isEmpty () {AccessibilityNodeInfo node; for (int I = 0; I <OK _nodes.size (); I ++) {node = OK _nodes.get (I); if (node. getClassName (). equals ("android. widget. button ") & node. isEnabled () {node. encryption maction (AccessibilityNodeInfo. ACTION_CLICK) ;}}}}} private void processKillApplication (AccessibilityEvent event) {if (event. getSource ()! = Null) {if (event. getPackageName (). equals ("com. android. settings ") {List <AccessibilityNodeInfo> stop_nodes = event. getSource (). findAccessibilityNodeInfosByText ("Force stop"); if (stop_nodes! = Null &&! Stop_nodes.isEmpty () {AccessibilityNodeInfo node; for (int I = 0; I <stop_nodes.size (); I ++) {node = stop_nodes.get (I); if (node. getClassName (). equals ("android. widget. button ") {if (node. isEnabled () {node. encryption maction (AccessibilityNodeInfo. ACTION_CLICK) ;}}}list <AccessibilityNodeInfo> OK _nodes = event. getSource (). findAccessibilityNodeInfosByText ("OK"); if (OK _nodes! = Null &&! OK _nodes.isEmpty () {AccessibilityNodeInfo node; for (int I = 0; I <OK _nodes.size (); I ++) {node = OK _nodes.get (I); if (node. getClassName (). equals ("android. widget. button ") {node. encryption maction (AccessibilityNodeInfo. ACTION_CLICK); Log. d ("action", "click OK ");}}}}}}}


Complete DEMO: http://download.csdn.net/detail/jiazhijun/8251277

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.