one. What is Android interface hijacking
Interface hijacking means that in the Android system, malware monitors the running of the target software. When it detects that the current running interface is a specific interface of a monitored application (usually login or Payment interface), a fake phishing page pops up, thereby inducing users to enter information, and ultimately stealing the user's privacy (maliciously stealing user account number, card number, password and other information), or using the fake interface to commit phishing fraud.
two. Common attack methods
1. Monitor the system Logocat log. Once the Activity interface switching behavior is detected, the attack will be carried out and the fake Activity interface will be covered to implement deception.
2. Listen to the system API. Once the malicious program listens to the API component call of the relevant interface, it can launch an attack.
3. For models below 5.0, enumerate to obtain the activity on the top of the stack, monitor the appearance of the target activity, and launch an attack.
4. Maliciously start the Service to monitor the target application. When switching to the target Activity, a dialog box will pop up to hijack the current interface and confuse the user
3. Preventive measures
● For users
Almost all Android phones are equipped with a HOME button. If you press and hold it, you can view recently used tasks. When users need to enter a password to log in, they can long press the HOME button to view recent tasks. For example, if they long press the HOME button when logging in and find that WeChat appears in the recent tasks, then the current login interface is most likely to be a maliciously disguised Activity. Switch Go to another program and check recent tasks to know which program this login interface comes from.
● For developers
For phishing Activity type hijacking, detect whether the front-end Activity application is itself or a system application in the onPause method of key activities such as the login window or user privacy input. If If a malicious risk is discovered, some warning messages will be given to the user, prompting the user that their login interface will be overwritten, and giving the class name that covers the normal Activity.
If it is a hijacking of the pop-up dialog type, take over the life cycle of the Activity. When the current interface is found onResume, determine whether it has lost focus; if it exists at the same time, it may be a dialog class hijacking. Determine at this time Whether the running active process contains sensitive permissions (global Alert permissions, obtaining task stack permissions, etc.), if so, the user will be alerted.
How to place decompilation "bombs" in Android APK
The "bombs" mentioned in the above article are actually decompiler bugs, so they are targeted at different The decompiler needs to design different "bombs". Let’s first understand the commonly used APK decompilation tools:
● baksmali/smali: baksmali can convert binary dex files into smali text files for analysis, and smali can recompile smali files into dex files.
● Apktool: Integrates baksmali/smali for processing dex files, and also implements decompilation of res resource files (such as layout/strings, etc.).
● AxmlPrinter: Used to convert the binary form of AndroidManifest.xml to the text form of AndroidManifest.xml.
● dex2jar: can convert dex into jar files.
● jd-gui: Can decompile jar files into java source code.
● Ida Pro: Mainly used to decompile So files in Apk. It also supports decompiling dex files into text form instructions similar to smali syntax.
As can be seen from the above decompilation tool, it is mainly divided into three functions:
● Decompile resources, such as AndroidManifest.xml, layout.xml
can decompile Dex Decompile the file, or convert it to Java code
● Decompile the So file
The setting of "bomb" requires considerable understanding of the specific file format, and may only target a certain A decompilation tool.
How does Android app encrypt?
An Android app comprises dex files, so files, res and assets resources.. This content can be rewritten For: This encryption technology can be divided into three main aspects: protection of DEX files, encryption of SO files, and protection of resource files (such as res and assets).
● dex protection
Not yet The encrypted dex file comes from Java compilation and packaging, so the cracking cost is low and it is vulnerable to attacks. Starting from the most basic form of packing, to function execution body extraction, dynamic loading, and to the current vmp virtual machine protection, this solution The security is gradually improved. Especially in vmp hardening, a self-developed virtual machine is used to interpret the function body. If the instruction encryption replacement is used properly, it will make it very difficult for crackers.
● so encryption
so file has evolved from the initial segment encryption to the encryption method of the custom elf structure, which can prevent IDA from viewing the function name and increase the cost and difficulty of cracking.
● Resource Protection
res resource files usually only use obfuscation to increase the difficulty of reverse engineering. Asset resources are generally not processed. Due to the growing number of H5 applications, some vendors (such as Yidun and Naga) have provided assets encryption functions, but their implementation principles are not clear.
In addition to the above three points of protection, there are also anti-decompilation, anti-secondary packaging, anti-debugging, anti-simulator, anti-xposed functions, etc.
b) In order to prevent decompilation, decompilation tools (such as apktool) on the market are usually countered and their vulnerabilities are used to cause decompilation to fail
b) To prevent secondary packaging, Generally, the signature information is saved in the code, and the signature information of the current apk is compared with the saved signature in the native layer during startup. There are already breaching tools on the market. Some upgrades can be made to common implementation methods.
c) Anti-debugging, through the ptrace process, prevents crackers from ptrace debugging.
d) Anti-emulator, detect /system/bin/su and /system/xbin/su files.
Detect the methodCache of XposedHelpers to determine whether it is hooked to prevent xposed.
The above is the detailed content of How to encrypt Android app. For more information, please follow other related articles on the PHP Chinese website!