针对目前越来越验证的app隐私条款政策,收集app授权列表,并对的app授权进行验证,应该是目前需要人防面临的一个问题。
验证app权限的使用,计划三步完成:
- 收集app有关的权限列表
- 收集app调用的第三方的权限列表
- 收集app操作各阶段的权限列表
先分享第一步的实现:
基本思路:
- 使用ADB链接的设备
- 使用dumpsys package xxx,筛选软件包权限相关的信息
- 使用excel保存app的权限列表
Python脚本的实现:
# coding:utf-8
"""
@note:APP使用权限收集
@author: Qred
@file: PermissionList.py
@time: 2019/12/22
"""
import argparse
import os
import re
import time
import xlwt
class baseClass(object):
def __init__(self, phone_id, PACKAGE_NAME):
self.phone_id = phone_id
self.PACKAGE_NAME = PACKAGE_NAME
self.MAX_INVALID_LINE = 5
self.DECLARED_PERMISSIONS = 'declared permissions'
self.REQUESTED_PERMISSIONS = 'requested permissions'
self.INSTALL_PERMISSIONS = 'install permissions'
self.RUNTIME_PERMISSIONS = 'runtime permissions'
self.STOP_KEY = 'Package Changes:'
def dump_get_perminfo_line(self):
'''获取授权列表'''
titles = []
locked = 0
Dict = {}
ret = self.dump_execute_perminfo()
for title in ret.readlines():
if len(title) == 0:
break
if locked != 0 and 'permission' in title:
title = re.sub(r"[:|,]", " ", title)
title = re.sub(r"(\[ | \])", "", title)
line = title.split()
titles.append(line)
if self.DECLARED_PERMISSIONS in title:
locked = 1
elif self.REQUESTED_PERMISSIONS in title:
Dict.update({self.DECLARED_PERMISSIONS: titles[:-1]})
titles = []
locked = 2
elif self.INSTALL_PERMISSIONS in title:
Dict.update({self.REQUESTED_PERMISSIONS: titles[:-1]})
titles = []
locked = 3
elif self.RUNTIME_PERMISSIONS in title:
Dict.update({self.INSTALL_PERMISSIONS: titles[:-1]})
titles = []
locked = 4
elif self.STOP_KEY in title:
Dict.update({self.RUNTIME_PERMISSIONS: titles[:-2]})
titles = []
locked = 5
return Dict
def dump_execute_perminfo(self):
'''获取命令行所有数据'''
ret = 0
if self.phone_id != '':
cmd = "adb -s " + self.phone_id + " shell dumpsys package " + self.PACKAGE_NAME
ret = os.popen(cmd)
else:
cmd = "adb shell dumpsys package " + self.PACKAGE_NAME
ret = os.popen(cmd)
# print(cmd)
return ret
def write_info_excel(self):
'''将数据写入excel'''
Dict = self.dump_get_perminfo_line()
time_stamp = time.strftime(time.strftime("%Y-%m-%d-%H-%M-%S", time.localtime()))
if self.phone_id != '' :
phone_id = self.phone_id[0:3] + '_p'
else:
phone_id = 'P'
path = os.getcwd() + '\\' + phone_id + "ermissionList_" + time_stamp + ".xlsx"
Excel = xlwt.Workbook()
WorkSheet = Excel.add_sheet("permission_list")
i = 0
for key in Dict.keys():
j = 0
WorkSheet.write(i, j, key)
j += 1
for values in Dict[key]:
k = j
for val in values:
WorkSheet.write(i, k, val)
k += 1
i += 1
Excel.save(path) # 保存文件
def arg():
# 命令行解析器
# -d 设备id
# -p 测试应用包名,默认值:com.kascend.chushou
# -h 帮助文档
parse = argparse.ArgumentParser(usage='This script is mainly used to get performance data \n 此脚本主要用于获取权限数据',
description='Devices is required, and the package name (the default is Baidu APP) \n 需传参设备devices,包名(默认是boss直聘APP)')
parse.add_argument('-d', help='devices', type=str, nargs='?', default=None)
parse.add_argument('-p', help='package name', type=str, nargs='?', default=None)
args = parse.parse_args()
# print vars(args)
return args
def initParameters():
global DEVICE_ID, PACKAGE_NAME, PRINT_OR_WRITE
args = arg()
if args.d != None: # devices
DEVICE_ID = args.d
else:
DEVICE_ID = ''
if args.p != None: # 包名
PACKAGE_NAME = args.p
if args.p == None: # 包名
PACKAGE_NAME = 'com.hpbr.bosszhipin'
if __name__ == '__main__':
initParameters()
# 指定DEVICE_ID, PACKAGE_NAME后,可直接运行脚本
tmp = baseClass(DEVICE_ID, PACKAGE_NAME) # '', 'com.hpbr.bosszhipin'
tmp.write_info_excel()
脚本的使用:
1.查看已连接的设备:
adb devices
2.在脚本所在的路径下,调用脚本
python PermissionList.py -d device_id -p com.xxx.xxx
3.在同级的目录下会有对应的含有“permissions”名称的excel生成。
————供大家参考——————