Question | One or two things about Android security

"Question" for the NetEase Cloud Yi Shield Question and answer column, will answer and present the security domain common question and the confusion. If you have any doubts, please leave a message to ask questions.

A lot of people recently consulted the Shield shield on the Android security of various kinds of questions, here compiled a question and answer collection, readers.

Android Interface Hijacking

A What is Android interface hijacking

Interface hijacking refers to the Android system, malware through monitoring the operation of the target software, when the current operating interface is detected by a specific interface for a monitored application (typically login or payment interface), pop up forged phishing pages, thereby inducing users to enter information, and ultimately steal the user's privacy (malicious user account theft) , card number, password, etc.) or phishing scams using a fake interface.

Two Common XXX means

1. Monitoring System Logocat Log, once the supervisor heard the activity interface switching behavior, that is, XXX, covering the fake activity interface to implement deception.

2. Listen to the system API, once the malicious program hears the API component call of the related interface, can initiate XXX.

3. 5.0 The following model enumeration get top activity, monitoring to the target activity appears, you can launch xxx.

4. Malicious start Service listener target app, when switching to target activity, pop-up dialog to hijack the current interface confusing users

Three Prevention means

For users

Android phones have a home button, long press to see recent tasks. When you want to enter a password to log in, you can view recent tasks by long pressing the home button, such as log in long by the discovery of recent tasks appear, then the current login screen is very likely to be a malicious activity, switch to another program, and then view recent tasks, You can know which program the login interface originates from.

For developers

For fishing activity type hijacking, in the login window or user privacy input key activity of the OnPause method to detect whether the most front-end activity application is itself or the system application, if the malicious risk found, then give users some warning information, The user is prompted to access the interface to be overwritten, and gives the class name that covers the normal activity.

If it is for the pop-up dialog type of hijacking, take over the activity's life cycle, when the current interface onresume to determine whether to lose focus, if there is a dialog class hijacking, it is possible to determine whether the active process running at this time contains sensitive permissions (global alert permissions, Get task stack permissions, etc.) and alert users if there is one.

How to place anti-compile "xxx" in Android APK

The above article mentioned in the "XXX" is actually the anti-compiler bug, so for different anti-compiler, need to design a different "xxx." Check out the popular APK anti-compilation tool:

Baksmali/smali:baksmali can convert binary dex files to Smali text files for analysis, Smali can recompile smali files to Dex files.

Apktool: Consolidates Baksmali/smali for working with Dex files, and also enables the disassembly of RES resource files (such as layout/strings, etc.).

Axmlprinter: Used to convert androidmanifest.xml in binary form to androidmanifest.xml in textual form.

Dex2jar: Can convert Dex into a jar file.

Jd-gui: Ability to decompile jar files into Java source code.

Ida Pro: Used primarily to decompile the so file in the APK, and also support the inverse compilation of Dex files into text-like directives similar to the Smali syntax.

From the above anti-compilation tool can be seen, the main three kinds of functions:

Decompile resources, such as Androidmanifest.xml, Layout.xml

Decompile the Dex file, or further convert the Dex file to Java code

Anti-compile so file

XXX "settings require a considerable understanding of the specific file format, and may only be targeted at one of the anti-compilation tools.

How does the Android app encrypt?

The Android app contains content that has DEX files, so files, and res,assets resource files. The corresponding encryption is divided into three main aspects: Dex protection, so encryption, resource protection (res, assets).

Dex Protection

Since unprotected Dex files are packaged from Java compilation, cracking costs are less susceptible to XXX. Its protection measures from the most basic shell, to function execution body extraction, dynamic loading, and then to the current VMP virtual machine reinforcement, security gradually enhanced. In particular, VMP reinforcement, is the use of self-developed virtual machine interpretation function body, if the instructions to replace the encryption is good, will make the cracker very uncomfortable.

So encryption

So files, which are encrypted by the initial segment and developed to a custom Elf structure encryption method, prevent Ida from viewing function names, increasing the cost and difficulty of cracking.

Resource Protection

Res resource files, often using only a confusing way to increase the reverse difficulty. Assets resources, generally do not deal with. But at any time H5 application is increasing, some vendors (Yi Dun, Nagas) have to provide assets encryption function, the implementation principle is unknown.

In addition to the above three-point protection, there are anti-decompile, anti-two packaging, anti-debugging, anti-simulator, anti-xposed function.

A) anti-decompile, generally against the market, such as anti-compilation tools (such as Apktool) to do the confrontation, the use of its vulnerabilities, resulting in anti-compilation failure;

b) Anti-two-pack, commonly used in the code to save the signature information, at the start of the native layer of the current APK signature information and the saved signature. There are already flamebreak tools on the market. You can do some upgrades in common implementations.

c) Anti-debugging, through the ptrace process, to prevent the cracker again ptrace debugging.

d) Anti-simulator, detect/system/bin/su and/system/xbin/su files.

e) Anti-xposed, through the detection of xposedhelpers Methodcache, determine whether the hook.

Question | One or two things about Android security