Android Development Security 2-activity component security (bottom)

This article is the security of Android research and development of the activity component of the second, this article will share the activity interface hijacking prevention knowledge.

What is activity hijacking

Simply put, the app's normal activity interface is being hacked and illegally used by a malicious attacker who replaces the fake malicious activity interface. Interface hijacking attacks are often difficult to identify, the consequences of which will not only cause serious loss to users, but also the nightmare of mobile application developers. For example, when a user opens an app on an Android phone and enters the landing page, the malware detects the user's action and immediately pops up with the same activity as the app's interface, overwriting the legitimate activity, which the user can hardly perceive, The user's next entry into the user name and password is actually done on the activity of the malware, and what happens in the end can be imagined.

Why the activity interface was hijacked

Many netizens find that if you add a flag bit flag_activity_new_task when you start an ACTIVITY, you can put it on top of the stack and present it to the user immediately. For this operation, what if the activity is a camouflage activity for stealing numbers? In Android, the program can enumerate the currently running processes without having to declare other permissions, so we can write a program that starts a backend service that constantly scans the currently running process and initiates a disguised activity when the target process is discovered. If the activity is a login interface, then the user's account password can be obtained from it.

Common means of attack

• Monitoring System Logocat Log, once the monitoring of the Activity interface switching behavior, that is, the attack, covering the fake activity interface to implement deception. Developers usually know that the system's Logcat log will be printed by activitymanagerservice a log file containing the interface information, the malicious program is to obtain this information through LOGOCAT, so as to monitor the client's start-up, activity interface switch.

• The Monitoring System API, once the malicious program hears the API component call of the related interface, can launch the attack.

• Reverse apk, a malicious attacker through anti-compilation and reverse analysis apk, understand the business logic of the application of targeted activity interface hijacking attack

Security issues known to the activity component

1. Malicious theft of user accounts, card numbers, passwords and other information
2. Phishing scams with fake interfaces

Cloud Network Vulnerability Report Instance

Android uses a hover window to implement interface hijacking of phishing thieves

CCB Android Client design logic flaw causes user to be fished

How should developers prevent users

Android phones have a home button (that is, the icon for a small house), and long press to see recent quests. When you want to enter a password to sign in, you can view recent tasks by long pressing the home button, such as log in long by the discovery of recent tasks appear, then I now this login interface is very likely a malicious activity, switch to another program, and then view recent tasks, You can know which program the login interface originates from.

For developers

It is common practice for developers to detect whether the most front-end activity application is itself or a system application in the OnPause method of the key activity such as login window or user's privacy input, and if malicious risk is found, give the user some warning messages, prompting the user to access the interface to be overwritten. and gives the class name that covers the normal activity.

The following reference users to share, give a researcher commonly used activity interface hijacking precautionary measures code:

First, rewrite the OnKeyDown method and the OnPause method in the previous normal login activity interface, so that when it is overwritten, it will be able to pop up the alert message with the following code:

@Override     Public Boolean OnKeyDown(intKeyCode, KeyEvent event) {//To determine whether the program enters the background is caused by the user (touch the Back or home button), there is no need to pop the alert.         if((Keycode==keyevent.keycode_back | | keycode==keyevent.keycode_home) && event.getrepeatcount () = =0) {Needalarm =false; }return Super. OnKeyDown (KeyCode, event); }@Override    protected void OnPause() {//If the program enters the background is not the user's own cause, you need to pop up the alert        if(Needalarm) {//Pop-up alert messageToast.maketext (Getapplicationcontext (),"Your login interface is overwritten, please confirm the login environment is safe", Toast.length_short). Show ();//Start our alarmservice to give the class name that covers the normal activityIntent Intent =NewIntent ( This, Alarmservice.class);        StartService (Intent); }Super. OnPause (); }

Then implement Alarmservice.java, and register in Androidmanifest.xml

ImportAndroid.app.ActivityManager;ImportAndroid.app.Service;ImportAndroid.content.Context;ImportAndroid.content.Intent;ImportAndroid.os.Handler;ImportAndroid.os.IBinder;ImportAndroid.widget.Toast; Public  class alarmservice extends Service{    BooleanIsstart =false; Handler Handler =NewHandler (); Runnable alarmrunnable =NewRunnable () {@Override         Public void Run() {//Get ActivitymanagerActivitymanager Activitymanager = (activitymanager) getsystemservice (Context.activity_service);//getrunningtasks Returns the size of a list,list equal to the parameters passed in.             //get (0) to get the first element in the list, the task at the top of the stackActivitymanager.runningtaskinfo info = activitymanager.getrunningtasks (1). Get (0);//Get the class name at the top of the current stack, or you can get the full class name and package name as requiredString shortclassname = Info.topActivity.getShortClassName ();//class name            //Full class name            //string className = Info.topActivity.getClassName ();            //Package name            //string PackageName = Info.topActivity.getPackageName ();Toast.maketext (Getapplicationcontext (),"The currently running program is"+shortclassname, Toast.length_long). Show (); }    };@Override     Public int Onstartcommand(Intent Intent,intFlagintStartid) {Super. Onstartcommand (Intent, flag, Startid);if(!isstart) {Isstart =true;//Start alarmrunnableHandler.postdelayed (Alarmrunnable, +);        Stopself (); }returnStart_sticky; }@Override     PublicIBinderOnbind(Intent Intent) {return NULL; }}

Reference Links:

Http://blog.chinaunix.net/uid-29170659-id-4930737.html

Android Development Security 2-activity component security (bottom)