Shulou(Shulou.com)06/01 Report--

Secbang.comsimeon

Recently, we have done some security testing of apk, studied and discussed the AndroidManifest.xml file, introduced the function and architecture of the AndroidManifest.xml file, and studied some loopholes in the AndroidManifest.xml configuration file.

The function of 0X00 AndroidManifest.xml file

The role of AndroidManifest.xml files is very important and should be said to be indispensable. This is defined in the android official introduction document (https://developer.android.com/guide/topics/manifest/manifest-intro.html). Each application must have an AndroidManifest.xml (name must be the same) file in its root directory. The Manifest file provides basic information about the application to the Android system that the system must have in order to run code for any application. In other words, APP is running on the Android system, and since you want to run on it, you must provide information to Android System, which is stored in AndroidManifest. AndroidManifest.xml is stored in the app/src/main/ directory. After decompiling the APK file, the file exists in garbled format and needs to be converted in order to view it properly.

Main functions of 0X01

1. Name the application Java package, with the package name as the unique identifier of the application

two。 Describes the components of the application, including the activities, services, broadcast receivers, and content providers that make up the application; it also names the classes that implement each component and publishes its functions, such as messages that Intent can handle. These declarations inform the components of the Android system and the conditions under which they can be started.

3. Decide which processes hosts application

4. Declares what permissions the App has, and it declares the permissions that the application must have to access the protected portion of the API and interact with other applications. It also declares the permissions that others need to interact with the components of the application

5. It lists the classes that Instrumentation provides profiling and other information while the application is running. These claims exist only if the application is in development and are deleted before the application is released.

6. It declares the lowest level of Android API required by the application.

7. It lists the libraries that the application must link to.

0X02 Manifest architecture

Allowed elements, the blue word is a common preset element, in which the and is necessary and can only occur once. Each element has its own attributes, the number of attributes is not certain, and each attribute has its default value, which can be set according to the needs.

1. Preset AndroidManifest.xml

The version number for the user to see the target version, if the default is not set to the lowest minSdkVersion App style APP is opened, the name activity operation mode is displayed at the top of the screen. Main indicates that activity is the APP entry point shown in the application line table 2. Sample standard AndroidManifest.xml file. . . . . . . . . .

0x03 file convention and syntax

From the above code, we can see that the Android configuration file uses XML as the description language, each XML tag has a different meaning, and most of the configuration parameters are placed in the attributes of the tag, so let's learn the use of the main elements and tags in the Android configuration file according to the order in the sample configuration file above.

1. Element (Elements)

Of all the elements, only and are required, they must each exist, and can only occur once. If an element contains other child elements, its value must be set through the attributes of the child elements. Elements at the same level, the descriptions of these elements are out of order. For example, and elements can be mixed in any order. There are two key exceptions to this rule:

An element must follow that it is an alias.

The element must be the element of the last element inside. In other words, the closing tag must appear immediately before the closing tag.

Attribute

Normally, all properties are optional, but some must be set. So that the element can achieve its purpose, except for the attribute of the root element, the names of all other element attributes are prefixed with android:

Define the class name: all element names correspond to their class names in SDK. If you define the class name yourself, you must include the packet name of the class. If the class is in the same packet as application, it can be abbreviated to "."

3. Declare the class name

Many elements correspond to Java objects, including elements of the application itself (elements) and its main components: activities (), services), broadcast receivers (), and content providers ().

If you define a subclass, as you always do for component classes (Activity,Service,BroadcastReceiver and ContentProvider) subclasses are declared through the name attribute, the name must include the full wrapper name. For example, a Service subclass might be declared as follows:

. . . . . .

4. Multiple valu

If an element has more than one numeric value, the element must repeat that one of its attributes has multiple numeric items, and cannot specify multiple numeric items in one attribute at once; for example, an intent-filter can protect multiple action:

. . .

5. Resource value

Some properties have values that can be displayed to the user, such as an active label and icon. The values of these properties should be localized and set from resources or topics. Resource values are represented in the following format:

@ [package:] type/name

If the resource is in the same package as the application, you can omit the package name. This type is a resource, such as a string or paintable object, whose name is the identity name of a particular resource. For example:

The value of the theme is expressed similarly, but with the initial value "?" instead of "@":

? [package:] type/name

Note: the value of the resource or theme package must be the name of the "android" or application package.

6. String valu

Where the attribute value is a string, you must use a double backslash (\) to escape the character, such as the\\ nnewline character or\\ uxxxx for the Unicode character.

7. Intention filter

The core components of the application, such as activities, services, and broadcast receivers, are activated by Intent. Intent is a set of information (objects) that the Intent describes the required action, including the data to be performed, the category of components that should perform the operation, and other related instructions. The Android system finds an appropriate component that responds to the intent and, if necessary, starts a new instance of the component and passes it to the Intent object.

The component notifies them of the types of intentions they can respond to through the intent filter. Because the Android system must understand the intent that the component can handle before starting the component, the intent filter is specified as an element in the listing. Components can have any number of filters, each of which describes different functions. The intention of explicitly naming the target component activates the component, so the filter does not work. There is no intention to specify a target by name to activate a component only when it can pass through the component's filter.

8. Icons and labels

Many elements have icon and tag attributes that can display a small icon and text to the user. Some also have a longer description property, which can also be displayed on the screen. For example, the element has all three attributes so that when asked if the user has granted permission to the application that has requested it, an icon represents the permission, the name of the permission, and the description it requires.

In each case, the icons and labels set in the containing element become the default icon and label settings for the child elements of all containers. Therefore, the icons and labels set in the element are the default icons and labels for each application component. Similarly, icons and labels set for components, such as elements, are the default settings for each component element. If an element has a tag set, but an activity and its intention filter do not, the application tag will be treated as a tag for the activity and intention filter.

The icons and labels set for the intention filter represent the component when it is presented to the user and satisfies the functionality published by the filter. For example, a filter with android.intent.action.MAIN and android.intent.category.LAUNCHER settings advertises an activity as an activity that starts an application. That is, it should be displayed in the application launcher. Icons and labels set in the filter are displayed in the initiator.

9. Authority

Permissions are part of the restricted code, or restrictions on access to data on the device. Restrictions are designed to protect critical data and code that may be misused to distort or damage the user experience.

Each permission is identified by a unique label. The label usually indicates a restricted action. Here are some of the permissions defined by Android:

Android.permission.CALL_EMERGENCY_NUMBERS

Android.permission.READ_OWNER_DATA

Android.permission.SET_WALLPAPER

Android.permission.DEVICE_POWER

Features can only be protected by one permission. If the application needs to access permission-protected functionality, it must declare that it requires permissions to use the elements in the manifest. When the application is installed on the device, the installer determines whether to grant the requested permission by checking the authority that signed the application certificate and, in some cases, asking the user. If the license is granted, the application can use the protected functionality. If not, the attempt to access these features fails without notifying the user.

Applications can also protect their components with permissions. It can use any permissions defined by Android, such as android.Manifest.permission listed or declared by other applications. It can also be defined by itself. Element declares new permissions. For example, an activity can be protected as follows:

. . . . . .

Note that in this example, the DEBIT_ACCT permission is not just declared using elements, so it also uses elements. In order to start a protected activity, you must require the use of other components of the application, even if the application itself is protected.

Meaning of 0x04 permission attribute value

ACCESS_CHECKIN_PROPERTIES: allows read / write access to table "properties" in the checkin database to change the uploaded value.

ACCESS_COARSE_LOCATION: allows the application to access the approximate location.

ACCESS_FINE_LOCATION: allows applications to access the exact location.

ACCESS_LOCATION_EXTRA_COMMANDS: allows applications to access additional location provider commands.

ACCESS_NETWORK_STATE: allows applications to access information about the network.

ACCESS_NOTIFICATION_POLICY: tag permissions for applications that want to access notification policies.

ACCESS_WIFI_STATE: allows applications to access information about the Wi-Fi network.

ACCOUNT_MANAGER: allows applications to call AccountAuthenticator.

ADD_VOICEMAIL: allows applications to add voicemail to the system.

ANSWER_PHONE_CALLS: allows applications to answer incoming calls.

BATTERY_STATS: allows applications to collect battery statistics

BIND_ACCESSIBILITY_SERVICE: AccessibilityService must be required by a to ensure that only the system can bind to it.

BIND_APPWIDGET: allows applications to tell AppWidget services which applications can access AppWidget's data.

BIND_AUTOFILL_SERVICE: AutofillService must be required by a to ensure that only the system can bind to it.

BIND_CARRIER_MESSAGING_SERVICE: this constant discards 23.BIND_CARRIER_SERVICES at the API level instead

BIND_CARRIER_SERVICES: system processes that allow binding to services in the carrier application will have this permission.

BIND_CHOOSER_TARGET_SERVICE: ChooserTargetService must be required by a to ensure that only the system can bind to it.

BIND_CONDITION_PROVIDER_SERVICE: ConditionProviderService must be required by a to ensure that only the system can bind to it.

BIND_DEVICE_ADMIN: must be required by the device management receiver to ensure that only the system can interact with it.

BIND_DREAM_SERVICE: DreamService must be required by a to ensure that only the system can bind to it.

BIND_INCALL_SERVICE: InCallService must be required by a to ensure that only the system can bind to it.

BIND_INPUT_METHOD: InputMethodService must be required by a to ensure that only the system can bind to it.

BIND_MIDI_DEVICE_SERVICE: MidiDeviceService must be required by a to ensure that only the system can bind to it.

BIND_NFC_SERVICE: you must ask HostApduService or OffHostApduService to ensure that only the system can bind to it.

BIND_NOTIFICATION_LISTENER_SERVICE: NotificationListenerService must be required by a to ensure that only the system can bind to it.

BIND_PRINT_SERVICE: PrintService must be required by a to ensure that only the system can bind to it.

BIND_QUICK_SETTINGS_TILE: allows applications to bind to third-party quick setup blocks.

BIND_REMOTEVIEWS: RemoteViewsService must be required by a to ensure that only the system can bind to it.

BIND_SCREENING_SERVICE: CallScreeningService must be required by a to ensure that only the system can bind to it.

BIND_TELECOM_CONNECTION_SERVICE: ConnectionService must be required by a to ensure that only the system can bind to it.

BIND_TEXT_SERVICE: must be required by TextService

BIND_TV_INPUT: you must use aTvInputService to ensure that only the system can bind it.

BIND_VISUAL_VOICEMAIL_SERVICE: the link must require VisualVoicemailService to ensure that only the system can bind to it.

BIND_VOICE_INTERACTION: VoiceInteractionService must be required by a to ensure that only the system can bind to it.

BIND_ × × _ SERVICE: * Service must be required by a to ensure that only the system can bind to it.

BIND_VR_LISTENER_SERVICE: VrListenerService must be required by a to ensure that only the system can bind to it.

BIND_WALLPAPER: WallpaperService must be required by a to ensure that only the system can bind to it.

BLUETOOTH: allows applications to connect to paired Bluetooth devices.

BLUETOOTH_ADMIN: allows applications to discover and pair Bluetooth devices.

BLUETOOTH_PRIVILEGED: allows applications to pair Bluetooth devices without user interaction and allows or disables phonebook access or message access.

BODY_SENSORS: allows applications to access data from sensors that users use to measure what is going on in the body, such as heart rate.

BROADCAST_PACKAGE_REMOVED: allows the application to broadcast notifications that the application package has been deleted.

BROADCAST_SMS: allows applications to broadcast SMS receipt notifications.

BROADCAST_STICKY: allows applications to broadcast sticky intentions.

BROADCAST_WAP_PUSH: allows applications to broadcast WAPPUSH receipt notifications.

CALL_PHONE: allows the application to initiate a phone call without allowing the user to confirm the call through the dialer user interface.

CALL_PRIVILEGED: allows the application to call any phone number, including emergency numbers, without going through the Dialer user interface, where the user confirms that the call is being placed.

CAMERA: you need to be able to access camera equipment.

CAPTURE_AUDIO_OUTPUT: allows applications to capture audio output.

CAPTURE_SECURE_VIDEO_OUTPUT: allows applications to capture secure video output.

CAPTURE_VIDEO_OUTPUT: allows applications to capture video output.

CHANGE_COMPONENT_ENABLED_STATE: allows the application to change whether the application component (not its own) is enabled.

CHANGE_CONFIGURATION: allows the application to modify the current configuration, such as the locale.

CHANGE_NETWORK_STATE: allows the application to change the network connection status.

CHANGE_WIFI_MULTICAST_STATE: allows applications to enter Wi-Fi multicast mode.

CHANGE_WIFI_STATE: allows applications to change the state of the Wi-Fi connection.

CLEAR_APP_CACHE: allows the application to clear the cache of all installed applications on the device.

CONTROL_LOCATION_UPDATES: enables / disables location update notifications for radios.

DELETE_CACHE_FILES: allows applications to delete cache files.

DELETE_PACKAGES: allows applications to remove packages.

DIAGNOSTIC: allows applications to RW to diagnostic resources.

DISABLE_KEYGUARD: allows applications to disable keyboard protectors if it is not secure.

DUMP: allows applications to retrieve status dump information from system services.

EXPAND_STATUS_BAR: allows the application to expand or collapse the status bar.

FACTORY_TEST: run as a manufacturer test application, as the root user.

GET_ACCOUNTS: allows access to the list of accounts in the account service.

GET_ACCOUNTS_PRIVILEGED: allows access to the list of accounts in the account service.

GET_PACKAGE_SIZE: allows the application to find the space used by any package.

GET_TASKS: this constant has been deprecated in API level 21. No longer enforced.

GLOBAL_SEARCH: this permission can be applied to content providers to allow the global search system to access their data.

INSTALL_LOCATION_PROVIDER: allows applications to install location providers into the location manager.

INSTALL_PACKAGES: allows applications to install software packages.

INSTALL_SHORTCUT: allows applications to install shortcuts in Launcher.

INSTANT_APP_FOREGROUND_SERVICE: allows real-time applications to create foreground services.

INTERNET: allows applications to open network sockets.

KILL_BACKGROUND_PROCESSES: allows applications to call killBackgroundProcesses (String).

LOCATION_HARDWARE: allows applications to use location capabilities, such as geofencing api, in hardware.

MANAGE_DOCUMENTS: allows applications to manage access to documents, usually as part of a document selector.

MANAGE_OWN_CALLS: a call application that allows you to manage your own calls through a self-managed ConnectionServiceAPI.

MASTER_CLEAR: not applicable to third-party applications.

MEDIA_CONTENT_CONTROL: allows the application to know what is playing and control its playback.

MODIFY_AUDIO_SETTINGS: allows applications to modify global audio settings.

MODIFY_PHONE_STATE: allows you to modify phone status-power on, mmi, etc.

MOUNT_FORMAT_FILESYSTEMS: allows file systems to be formatted as removable storage.

MOUNT_UNMOUNT_FILESYSTEMS: allows you to mount and unmount file systems for removable storage.

NFC: allows applications to perform I / O operations through NFC.

PACKAGE_USAGE_STATS: allows the application to collect component usage statistics, declaring permissions means using API, and users of the device can grant permissions through the Settings application.

PERSISTENT_ACTIVITY: this constant has been deprecated in API level 9. This feature will be removed later; please do not use it. Allows the application to keep its activity ongoing.

PROCESS_OUTGOING_CALLS: allows the application to view the phone number being dialed during an outbound call and choose to redirect the call to another number or abort the call completely.

READ_CALENDAR: allows the application to read the user's calendar data.

READ_CALL_LOG: allows the application to read the user's call records.

READ_CONTACTS: allows the application to read the user's contact data.

READ_EXTERNAL_STORAGE: allows applications to read from external memory.

READ_FRAME_BUFFER: allows applications to take screenshots and, more generally, access framebuffer data.

READ_INPUT_STATE: this constant has been deprecated in API level 16. API with this permission has been deleted.

READ_LOGS: allows applications to read low-level Syslog files.

READ_PHONE_NUMBERS: allows you to read the phone number of the device.

READ_PHONE_STATE: allows read-only access to the phone status, including the phone number of the device, current cellular network information, the status of any calls in progress, and any list of PhoneAccount registered on the device.

READ_SMS: allows applications to read text messages.

READ_SYNC_SETTINGS: allows applications to read synchronization settings.

READ_SYNC_STATS: allows applications to read synchronization statistics.

READ_VOICEMAIL: allows applications to read voicemail in the system.

REBOOT: the device needs to be restarted.

RECEIVE_BOOT_COMPLETED: allows applications to receive ACTION_BOOT_COMPLETED broadcasts after the system finishes booting.

RECEIVE_MMS: allows applications to monitor incoming MMS.

RECEIVE_SMS: allows applications to receive text messages.

RECEIVE_WAP_PUSH: allows applications to receive WAP push messages.

RECORD_AUDIO: allows applications to record audio.

REORDER_TASKS: allows applications to change the Z order of tasks.

REQUEST_COMPANION_RUN_IN_BACKGROUND: allows VOD applications to run in the background. REQUEST_COMPANION_USE_DATA_IN_BACKGROUND: allows Anycast applications to use data in the background.

REQUEST_DELETE_PACKAGES: allows applications to request deletion of packages.

REQUEST_IGNORE_BATTERY_OPTIMIZATIONS: the license application must be held in order to use ACTION_REQUEST_IGNORE_BATTERY_OPTIMIZATIONS.

REQUEST_INSTALL_PACKAGES: allows applications to request installation of software packages.

RESTART_PACKAGES: this constant has been deprecated with restartPackage (String) in API level 8. API is no longer supported.

SEND_RESPOND_VIA_MESSAGE: allows applications (phones) to send requests to other applications to handle response through message actions during incoming calls.

SEND_SMS: allows applications to send text messages.

SET_ALARM: allows the application to broadcast Intent to set the alarm clock for the user.

SET_ALWAYS_FINISH: allows the application to control whether an activity is placed in the background and completed immediately.

SET_ANIMATION_SCALE: modifies the global animation scaling factor.

SET_DEBUG_APP: configure the application for debugging.

SET_PREFERRED_APPLICATIONS: this constant has been deprecated in API level 7. No longer useful, addPackageToPreferred (String) for more information.

SET_PROCESS_LIMIT: allows applications to set the maximum number of (unneeded) application processes that can be run.

SET_TIME: allows the application to set the system time.

SET_TIME_ZONE: allows applications to set the system time zone.

SET_WALLPAPER: allows setting wallpaper to be applied.

SET_WALLPAPER_HINTS: allows applications to set wallpaper prompts. SIGNAL_PERSISTENT_PROCESSES: allows applications to request signals to be sent to all persistent processes.

STATUS_BAR: allows applications to open, close, or disable the status bar and its icons.

SYSTEM_ALERT_WINDOW: allows applications to create window TYPE_APPLICATION_OVERLAY using types, which are displayed on top of all other applications.

TRANSMIT_IR: allows the use of the device's infrared emitter, if any.

UNINSTALL_SHORTCUT: this permission is no longer supported.

UPDATE_DEVICE_STATS: allows applications to update device statistics.

USE_FINGERPRINT: allows applications to use fingerprint hardware.

USE_SIP: allows applications to use SIP services.

VIBRATE: allow access to the vibrator.

WAKE_LOCK: allows the use of PowerManagerWakeLock to prevent the processor from going to sleep or the screen from dimming.

WRITE_APN_SETTINGS: allows applications to write apn settings.

WRITE_CALENDAR: allows the application to write the user's calendar data.

WRITE_CALL_LOG: allows the application to write (rather than read) the user's call log data.

WRITE_CONTACTS: allows the application to write the user's contact data.

WRITE_EXTERNAL_STORAGE: allows applications to write to external storage.

WRITE_GSERVICES: allows applications to modify Google service maps.

WRITE_SECURE_SETTINGS: allows applications to read or write security system settings.

WRITE_SETTINGS: allows applications to read or write system settings.

WRITE_SYNC_SETTINGS: allows applications to write synchronization settings.

WRITE_VOICEMAIL: allows applications to modify and delete existing voicemail in the system.

0x05apk file get AndroidManifest.xml file

1. Extract the apk file

First of all, you need to download the apk file, use the compression software to extract it directly, and after the decompression is successful, you will survive an AndroidManifest.xml file in the apk directory, as shown in figure 1. After opening the file using notepad or IE, the content is garbled, as shown in figure 2.

Figure 1 AndroidManifest.xml file

Figure 2 the contents of the file are garbled.

two。 Transcoding using androguard

Androguard can download the latest version or version 1.9.

Https://github.com/androguard/androguard/archive/1.9.zip

Copy the AndroidManifest.xml file to the androguard directory, I am using the PentestBox-with-Metasploit-v2.2 platform. Go to E:\ Tools\ test platform\ PentestBox-with-Metasploit-v2.2\ bin\ androidsecurity\ androguard directory to use the command:

Androaxml.py-I AndroidManifest.xml-o new.WoCloud.AndroidManifest.xml

The content can be decoded.

0x06.apktool decompiled apk

The previous direct decompression of compressed files will cause some files not to be encoded, so there will be garbled code, and the compiled files can be viewed very well. Here's how to decompile apk programs using apktool. The execution effect is shown in the following figure.

1. Download apktool.jar

Https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.2.4.jar

two。 Save the following script as apktool.bat

@ echo off

If "% PATH_BASE%" = "" setPATH_BASE=%PATH%

Set PATH=%CD%;%PATH_BASE%

Java-jar-Duser.language=en "% ~ dp0\ apktool.jar"% *

3. Decompiler

(1) decompile directly with java: java-jar apktool.jar d test.apk

(2) use bat script to compile: apktool-f d test.apk / / overwrites existing decompilers and their directories

Apktool d test.apk

Note: apktool.bat and apktool_2.2.4.jar are in the same directory, and the downloaded apktool_2.2.4.jar needs to be renamed to apktool.jar

0x07.AndroidManifest.xml default setting vulnerability

1. The default setting in the profile is allowBackup risk

(1) Security risk description

Android API Level 8 and above Android systems provide backup and recovery of application data. The switch for this function is determined by the allowBackup attribute value in the AndroidManifest.xml file in the application, whose default value is True. When the allowBackup flag is true, users can backup and restore the application data through adb backup and adb restore, which may bring some security risks. When setting the attribute value to true,adb backup allows anyone who can turn on the USB debug switch to copy application data from the Android phone to the peripheral, once the application data is backed up, all application data can be read; at the same time, adb restore allows users to specify a recovered data source (that is, backed up application data) to restore the creation of application data. Therefore, when an application data is backed up, the user can install the same application on other Android mobile phones or simulators, and by restoring the backed up application data to the device, opening the application on the device can restore to the state of the backed up application.

For most current mobile phones, once this loophole exists, it is easy to lead to the disclosure of sensitive information such as personal address book, Wechat, QQ chat messages, text messages, etc.; by restoring the backup program on the analog mobile phone, you can directly carry out shop scan payment (shop scan payment does not need to pay password) easy to cause property losses.

(2) scope of influence

Android API level 8 (Android 2.2-2.2.3) and the above systems, at present, most systems are affected. The icon name corresponding to the system and the name of the Android API level is given below:

API level 1: Android 1.0

API grade 2: Android 1.1 Petit Four fancy cupcakes

API grade 3: Android 1.5 Cupcake cupcakes

API level 4: Android 1.6Donut doughnuts

API grade 5: Android 2.0 é clair muffins

API grade 6: Android 2.0.1 é clair muffins

API grade 7: Android 2.1 é clair muffins

API grade 8: Android 2.2-2.2.3 Froyo frozen yogurt

API grade 9: Android 2.3-2.3.2 Gingerbread gingerbread

API grade 10:Android2.3.3-2.3.7 Gingerbread gingerbread

API grade 11:Android 3.0Honeycomb hive

API grade 12:Android 3.1Honeycomb hive

API grade 13:Android 3.2Honeycomb hive

API grade 14:Android 4.0-4.0.2 Ice Cream Sandwich ice cream sandwiches

API grade 15:Android4.0.3-4.0.4 Ice Cream Sandwich ice cream sandwiches

API grade 16:Android 4.1Jelly Bean jelly beans

API grade 17:Android 4.2Jelly Bean jelly beans

API grade 18:Android 4.3Jelly Bean jelly beans

API grade 19:Android 4.4KitKat Kit Kit Chocolate Bar

API Grade 20: Android 4.4W KitKat with wearable extensions Kit Kat Chocolate Bar

API grade 21:Android5.0-5.0.2 Lollipop lollipop

(3) Test flow (take sina.weibo as an example)

Test environment: Windows 7 Magi ADB debugging tool; physically contact target phone 1, connect phone 1 to PC

Mobile phone 1 and phone 2 are not ROOT, enable USB debugging; do not install other applications, do not start the application under test. Connect and install USB debug phone 1 to PC. After PC installs the phone driver automatically (or in advance), start the command line interface and enter the following command:

Adb devices

# display a list of connected devices and test whether the phone is connected properly

Adb backup-nosystem-noshared-apk-fcom.sina.weibo.abcom.sina.weibo

#-nosystem means not backing up the system application,-noshared means not backing up the data stored in the SD of the application,-apk means the backup application APK installation package,-f indicates the .ab file path and file name of the backup, and finally, the packageName of the backup application

Click Mobile 1 to confirm "backup my data" in the backup interface.

Wait for the backup to complete, so that Weibo client data is successfully backed up as a com.sina.weibo.ab file

Disconnect phone 1

Connect to Mobile phone 2 and enter the following command at the command line interface:

Adb kill-server # turn off ADB

Adb devices # restart ADB to check if mobile phone 2 is connected successfully

Adb restore com.sina.weibo.ab

Click Mobile 2 to confirm "recover my data" in the recovery interface.

Wait for the restore to complete

Open the newly installed Weibo client in Mobile phone 2, and test that you can log in to the account in Mobile phone 1 to perform various operations, and it is effective for a long time.

(4) Safety protection

Displays the setting android:allowBackup=false, using the default value of android:restoreAnyVersion.

(5) detect vulnerabilities

After decompiling apk using tools such as apktool, look at the AndroidManifest.xml file to find allowBackup. If its value is ture, it indicates that there is a vulnerability, as shown in the following figure.

2.Debuggable default setting risk

Principle: the android:debuggable property is used to specify whether the application can be debugged. If it is set to true, it will be able to be debugged by the java Debug tool (jdb), and information and code may be obtained and modified.

Protection: the system defaults to false and uses the system default settings.

Reference article:

1. Summary of common vulnerabilities in android, http://blog.sina.com.cn/s/blog_83f3c04c0102xeow.html

2. Https://developer.android.com/guide/topics/manifest/manifest-intro.html

3. Http://blog.csdn.net/shuaishenkkk/article/details/18400711

4. Https://segmentfault.com/a/1190000002590577

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.