Shulou(Shulou.com)05/31 Report--

In this article, the editor introduces "how to encrypt Android app" in detail, the content is detailed, the steps are clear, and the details are handled properly. I hope this article "how to encrypt Android app" can help you solve your doubts.

I. what is Android interface hijacking

Interface hijacking means that in the Android system, malicious software monitors the operation of the target software and pops up forged phishing pages when it detects that the current running interface is a specific interface of a monitored application (usually login or payment interface), so as to induce users to enter information, and finally steal users' privacy (malicious theft of user account number, card number, password and other information), or use fake interface to carry out phishing fraud.

Two. common means of attack

1. Monitor the Logocat log of the system, and once the Activity interface switching behavior is detected, the attack will be carried out, and the fake Activity interface will be covered to cheat.

two。 The listening system API can launch an attack once the malicious program listens to the call of the API component of the relevant interface.

3. 5.0 models below enumerate to obtain the top Activity of the stack, monitor the presence of the target Activity, and then launch an attack.

4. Maliciously start Service to listen to the target application, and when switching to the target Activity, a pop-up dialog box hijacks the current interface to confuse the user

III. Preventive measures

● is for users

Every Android phone has a home button, and you can press it for a long time to see the recent tasks. When users want to enter a password to log in, they can view the recent tasks by pressing the HOME key for a long time. For example, if you log on to Wechat for a long time, press to find that the recent task has appeared on Wechat. Then the login interface now is very likely to be a maliciously disguised Activity. Switch to another program, and then check the recent tasks, and then you can know which program this login interface comes from.

● is aimed at developers

Aiming at phishing Activity hijacking, check whether the front-end Activity application is itself or the system application in the onPause method of key Activity such as login window or user privacy input. If malicious risk is found, give the user some warning information, prompt the user to login interface to be overwritten, and give the name of the class that covers the normal Activity.

If it is for the hijacking of the dialog box type of pop-up window, take over the life cycle of Activity, and when the current interface onResume is found, it will determine whether the focus is lost; if it exists at the same time, it may be a dialog box class hijacking to determine whether the active process running at this time contains sensitive permissions (global Alert permission, obtaining task stack permission, etc.), and alert the user if there is any.

How to place decompiled "bomb" in APK of Android

The "bomb" mentioned in the above article is actually the bug of decompiler, so different "bombs" need to be designed for different decompilers. Let's take a look at the common APK decompilation tools:

● baksmali/smali: baksmali converts binary dex files into smali text files for analysis, and smali recompiles smali files into dex files.

● Apktool: integrates baksmali/smali for processing dex files, and decompiles res resource files (such as layout / strings, etc.).

● AxmlPrinter: AndroidManifest.xml used to convert AndroidManifest.xml in binary form to text form.

● dex2jar: can convert dex to jar files.

● jd-gui: ability to decompile jar files into java source code.

● Ida Pro: mainly used to decompile So files in Apk, but also supports decompilation of dex files into text-based instructions similar to smali syntax.

As you can see from the decompilation tool above, there are three main functions:

● decompilation resources, such as AndroidManifest.xml, layout.xml

● decompiles the Dex file, or further converts the Dex file into Java code

● decompiled So files

The "bomb" setting requires a good understanding of a specific file format and may only be specific to a decompiler.

How is Android app encrypted?

Android app contains dex files, so files, and res,assets resource files. According to this content, the corresponding encryption is divided into three aspects: dex protection, so encryption, resource protection (res, assets).

● dex protection

Because the unprotected dex files are compiled and packaged from java, the cracking cost is low and vulnerable to attack. The protection measures from the most basic shell, to function executor extraction, dynamic loading, and then to the current vmp virtual machine reinforcement, the security is gradually enhanced. In particular, vmp hardening, but also the use of self-developed virtual machine interpretation function body, if the instruction encryption replacement is done well, it will make the cracker very uncomfortable.

● so encryption

So files, from the initial segment encryption to custom elf structure encryption, can prevent IDA from viewing function names and increase the cost and difficulty of cracking.

● resource protection

Res resource files, usually only use confusion to increase the reverse difficulty. Assets resources are generally not processed. However, H5 applications are increasing at any time, and some manufacturers (Yi Dun, Naga) have the function of providing assets encryption, the principle of which is unknown.

In addition to the above three points of protection, there are anti-decompilation, anti-secondary packaging, anti-debugging, anti-simulator, anti-xposed functions.

A) Anti-decompilation, usually against decompilation tools on the market (such as apktool), exploiting its loopholes and causing decompilation to fail

B) to prevent secondary packaging, it is commonly used to save the signature information in the code and compare the current apk signature information with the saved signature in the native layer when starting. There are already attack tools on the market. You can do some upgrades in common implementations.

C) Anti-debugging, through the ptrace process, prevent the cracker from debugging again ptrace.

D) Anti-simulator, detect / system/bin/su and / system/xbin/su files.

E) Anti-xposed, by detecting the methodCache of XposedHelpers to determine whether it is hook.

After reading this, the article "how to encrypt Android app" has been introduced. If you want to master the knowledge points of this article, you still need to practice and use it yourself. If you want to know more about related articles, welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.