table of Contents
Installation package signature
Program can be arbitrarily debugged
Arbitrary backup of program data
App security testing practice basis-client program security
Note: scope of influence Android所有版本
Installation package signature
1. Description
Every Android application that wants to install and run must be signed. Therefore, when the developer releases the installation package, the installation package must be signed. The organization information contained in the signature information will facilitate the user to identify the authenticity of the installation package. Some mobile phones Anti-virus software is also based on signature information to detect and kill. Therefore, a complete and detailed signature information can help users distinguish the authenticity of the installation package.
2. Process
- Use the signature tool or jeb to view the signature and certificate information, and check whether the signature conforms to the following standard format. CN=(first name and last name), OU=(organizational unit name), O=(organization name), L=(city or region name), ST=(state or province name), C=(unit’s two-letter country code ).
-
jarsigner -verify -verbose -certs xxx.apkThe following information was found in the test-it did not meet the requirements.
3. Suggestion
- Sign the installation package and detect anomalies in the installation package signature.
- Improve corporate signature organization information
- Sign the installation package with the enterprise signature when the application is released
Decompilation protection
1. Description
Android applications are developed using Java and run on the Java virtual machine (Dalvik). The Smali code and Java code executed by the Dalvik virtual machine can be easily obtained through the decompilation tool. Android applications can be analyzed , Modify, repackage. Without any reinforcement protection measures, the logic of the application will be fully exposed to the analyst.
2. Process
- Use Jeb, AndroidKiller_v1.3.1 and other disassembly tools to load the target Apk to detect whether the Apk is obfuscated or reinforced
After testing, the situation is as follows:
The code has not been obfuscated or reinforced, and attackers can decompile through attacks, attacking directly at the source code level.
3. Suggestion
- Obfuscate the client code
- Packing and strengthening the client
Application integrity check
1. Description
Due to the inherent flaws of the Android system, the Android application distribution channel management mechanism and other issues, the Android client program is easy to be decompiled, tampered with/re-packaged , and can be released in various channels or forums after arbitrary signatures, which not only harms the development The intellectual property rights of the user are more likely to threaten the user's sensitive information and property security, so it is particularly necessary to check the integrity of the client itself.
2. Process
- Only use the apktool tool to unpack and repack the apk to check whether the apk can be used normally
apktool d apk
apktool b dir -o out.apk
重签名apkIf the app does not verify the dex or signature, you can modify the smali code and resource files at will. For example, you can modify the icon. The following figure shows the replacement of a certain securities application image with a flashlight application.
Before the change:
After the change:
Found that it has become another avatar; it can still be opened;
After the change, set the signature
Execute command: java -jar signapk.jartestkey.x509.pem testkey.pk8 original apk file name new apk file name
Install APK;
If there is no self-check, the software can be opened normally, and the test fails, indicating that there is a vulnerability risk
If the application has been self-checked, the software cannot be started and the test passes; it does not exist;
3. Suggestion
- Add signature verification logic
- Increase integrity check logic
Program can be arbitrarily debugged
1. Description
When android:debuggable="true" is set in the AndroidManifest.xml file, the application can be started in debug mode and be debugged by any debugger.
2. Process
- Use Jeb to load the apk client file
- Check whether the application node of the manifest file is set to android:debuggable="true"
If the client sets the android:debuggable attribute to true, you can try the adb command to debug the client to facilitate reverse analysis; there is a risk of vulnerability
3. Suggestion
- Do not set the android:debuggable attribute, or set the value of the attribute to false;
Arbitrary backup of program data
1. Description
When the android:allowBackup attribute value is not set in the AndroidManifest.xml file or, when android:allowBackup="true" is set, all data in the private directory of the application can be backed up.
2. Process
Through detection, it is found that the backup setting in AndroidManifest.xml is true;
3. Suggestion
- Set the attribute value of android:allowBackup in AndroidManifest.xml to false
Resource file protection
1. Description
The resources in the Android apk are mainly divided into assets resources and res resources. Assets resources are stored in the assets directory of the app. These files are some original files . They are not compiled when the app is packaged, but are directly packaged into In the APP, for this type of resource file access, the application layer code needs to access it through the file name. Res resources are stored in the res directory of the APP, and most of this type of resources will be compiled and turned into binary when the APP is packaged. File , and each file of this type will be assigned a resource id. For access to this type of resource, the application layer code is accessed through the resource id. During the Android apk development process, most companies advocate naming standardization, so the file name is very It is easy to understand its meaning, which is conducive to the understanding and maintenance of applications by developers, but it also provides convenience for application crackers.By using these names, crackers can easily find the file locations they need and understand the intent of these files.
2. Process
The res folder of ordinary apps without resource protection is as follows:
The obfuscated res folder is as follows
You can also protect the resource files in a hidden way. The res folder after reinforcement is hidden
Some important files are hidden
The obfuscated res folder is as follows
There are various suffixes in the folder to make confusion: such as: .a .iso .d .conf etc.
The assets folder of ordinary apps without resource protection
If the code is obfuscated, or there are packing measures, and the source code cannot be completely restored, this can be considered safe.
3. Suggestion
- Use reinforcement tools or AndResGuard to protect resources from confusion
Reference link:
https://www.cnblogs.com/ffrs/p/11352485.html
https://blog.csdn.net/ssjjtt1997/article/details/98947034