通过AAPT 进行Android危险权限检测
1.基本环境配置
1. ADT环境配置(这边无需Java环境变量)
首先,先用泡妹大法祭出远古版本的ADT
链接:https://pan.baidu.com/s/1lWM0LmVYDYKxWk-LTrRlCw
提取码:pgzx
然后我们就可以开始配置Android开发的环境变量
系统环境变量中添加
ANDROID_HOME=D:\path\android\adt-bundle-windows-x86_64-20131030\sdk
系统环境变量path中添加:
%ANDROID_HOME%;%ANDROID_HOME%/tools;%ANDROID_HOME%/platform-tools
此时我们在CMD窗口输入 adb version
Android Debug Bridge version 1.0.31
就成功了哟
或者你也可以在 https://androidaapt.com/ 中下载单独的aapt。
2.Android Asset Packaging Tool(aapt)的基本使用
首先aapt它在 %ANDROID_HOME%/build-tools/android-4.4/中,如果你没有android-4.4的话,可以自己通过SDK Manager安装任意Version的sdk
aapt命令提示: 从 https://androidaapt.com/command 中获取.具体的可以通过超链接进入看仔细的命令。
- aapt list
- aapt dump badging
- aapt usage
- aapt dump strings
- aapt dump permissions
- aapt dump resources
- aapt dump configurations
- aapt dump xmltree
- aapt dump xmlstrings
由于该篇技术文章只描述如何通过AAPT 进行Android危险权限检测,我们可以使用aapt dump permissions WHAT file.{apk}
e.g.:aapt dump permissions lxsj.apk
package: com.jiayouya.travel
uses-permission: android.permission.INTERNET
uses-permission: android.permission.WRITE_EXTERNAL_STORAGE
uses-permission: android.permission.READ_EXTERNAL_STORAGE
uses-permission: android.permission.ACCESS_FINE_LOCATION
uses-permission: android.permission.ACCESS_COARSE_LOCATION
uses-permission: android.permission.READ_PHONE_STATE
uses-permission: android.permission.ACCESS_NETWORK_STATE
uses-permission: android.permission.ACCESS_WIFI_STATE
uses-permission: android.permission.WRITE_SETTINGS
uses-permission: android.permission.VIBRATE
uses-permission: android.permission.WAKE_LOCK
uses-permission: android.permission.RECEIVE_USER_PRESENT
uses-permission: android.permission.RECEIVE_BOOT_COMPLETED
uses-permission: android.permission.BROADCAST_STICKY
uses-permission: android.permission.KILL_BACKGROUND_PROCESSES
uses-permission: android.permission.READ_LOGS
uses-permission: android.permission.BLUETOOTH
uses-permission: android.permission.BATTERY_STATS
uses-permission: com.meizu.flyme.push.permission.RECEIVE
permission: com.jiayouya.travel.push.permission.MESSAGE
uses-permission: com.jiayouya.travelpush.permission.MESSAGE
uses-permission: com.meizu.c2dm.permission.RECEIVE
permission: com.jiayouya.travel.permission.C2D_MESSAGE
uses-permission: com.jiayouya.travel.permission.C2D_MESSAGE
permission: com.jiayouya.travel.permission.MIPUSH_RECEIVE
uses-permission: com.jiayouya.travel.permission.MIPUSH_RECEIVE
uses-permission: android.permission.REQUEST_INSTALL_PACKAGES
uses-permission: android.permission.CHANGE_CONFIGURATION
uses-permission: android.permission.MODIFY_AUDIO_SETTINGS
uses-permission: android.permission.CAMERA
uses-permission: android.permission.RECORD_AUDIO
permission: com.jiayouya.travel.andpermission.bridge
uses-permission: com.jiayouya.travel.andpermission.bridge
uses-permission: android.permission.GET_TASKS
uses-permission: android.permission.READ_SETTINGS
uses-permission: android.permission.RUN_INSTRUMENTATION
uses-permission: android.permission.FLASHLIGHT
我们可以看到这边返回了在AndroidManifast.xml中的所有权限声明,同时我这里在祭出一份Android危险权限表:
BLACK_LIST = (
'android.permission.READ_EXTERNAL_STORAGE',
'android.permission.WRITE_EXTERNAL_STORAGE',
'android.permission.READ_CALENDAR',
'android.permission.WRITE_CALENDAR',
'android.permission.CAMERA',
'android.permission.READ_CONTACTS',
'android.permission.WRITE_CONTACTS',
'android.permission.GET_ACCOUNTS',
'android.permission.ACCESS_FINE_LOCATION',
'android.permission.ACCESS_COARSE_LOCATION',
'android.permission.RECORD_AUDIO',
'android.permission.READ_PHONE_STATE',
'android.permission.CALL_PHONE',
'android.permission.READ_CALL_LOG',
'android.permission.WRITE_CALL_LOG',
'com.android.voicemail.permission.ADD_VOICEMAIL',
'android.permission.USE_SIP',
'android.permission.PROCESS_OUTGOING_CALLS',
'android.permission.BODY_SENSORS',
'android.permission.SEND_SMS',
'android.permission.RECEIVE_SMS',
'android.permission.READ_SMS',
'android.permission.RECEIVE_WAP_PUSH',
'android.permission.RECEIVE_MMS',
'android.permission.READ_CELL_BROADCASTS',
'android.permission.WRITE_SETTINGS')
我们只需要匹配通过aapt dump出来的permission是否和我们的BLACK_LIST匹配即可。此处祭出Python检测代码:
import re
import subprocess
import os
class ApkInfo:
def __init__(self, apk_path):
self.apkPath = apk_path
self.aapt_path = self.get_aapt()
self.BLACK_LIST = (
'android.permission.READ_EXTERNAL_STORAGE',
'android.permission.WRITE_EXTERNAL_STORAGE',
'android.permission.READ_CALENDAR',
'android.permission.WRITE_CALENDAR',
'android.permission.CAMERA',
'android.permission.READ_CONTACTS',
'android.permission.WRITE_CONTACTS',
'android.permission.GET_ACCOUNTS',
'android.permission.ACCESS_FINE_LOCATION',
'android.permission.ACCESS_COARSE_LOCATION',
'android.permission.RECORD_AUDIO',
'android.permission.READ_PHONE_STATE',
'android.permission.CALL_PHONE',
'android.permission.READ_CALL_LOG',
'android.permission.WRITE_CALL_LOG',
'com.android.voicemail.permission.ADD_VOICEMAIL',
'android.permission.USE_SIP',
'android.permission.PROCESS_OUTGOING_CALLS',
'android.permission.BODY_SENSORS',
'android.permission.SEND_SMS',
'android.permission.RECEIVE_SMS',
'android.permission.READ_SMS',
'android.permission.RECEIVE_WAP_PUSH',
'android.permission.RECEIVE_MMS',
'android.permission.READ_CELL_BROADCASTS',
'android.permission.WRITE_SETTINGS'
)
@staticmethod
def get_aapt():
if "ANDROID_HOME" in os.environ:
root_dir = os.path.join(os.environ["ANDROID_HOME"], "build-tools")
for path, subdir, files in os.walk(root_dir):
if "aapt.exe" in files:
return os.path.join(path, "aapt.exe")
else:
return "ANDROID_HOME not exist"
def get_apk_permission(self):
p = subprocess.Popen(self.aapt_path + " dump permissions %s" % self.apkPath, stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
stdin=subprocess.PIPE, shell=True)
(output, err) = p.communicate()
print(output.decode())
match = re.compile("permission: (\S+)").findall(output.decode())
Black_permission = []
if match is not None:
for permission in match:
if permission in self.BLACK_LIST:
Black_permission.append(permission)
print(Black_permission)
if __name__ == '__main__':
apkPath = input("APK文件路径:")
apk_info = ApkInfo(apkPath)
apk_info.get_apk_permission()
同时,强大的AAPT不只是可以做这么点的事情,还可以获取十分多的APK信息,具体大家可以自己尝试着使用AAPT命令的尝试尝试
3.总结
相信挺多和我一样刚入门的同学,大部分时间都不会去了解,一款反编译工具到底是什么工作的。一上场就祭出JADX,JEB等高级完善的功能,但是我们对其工作原理并不是太清楚。所以大家可以多多了解了解这些反编译工具的工作原理。对大家是有好处的哟!(面试官可能会问。)