当前位置:网站首页>Test APK exception control netlocation attacker development
Test APK exception control netlocation attacker development
2022-06-10 20:57:00 【Fadi】
1. Purpose
be based on 《 Application experience standard of software Green Alliance 》 in NetLocation The definition of resources , Into the NetLocation Frequent tests apk. Designed to trigger abnormal power consumption control mechanism in mobile phones .
2. testing procedure
H Mobile phones and T mobile phone 、 Other mobile phones for installation apk.
All mobile phones need to set the app to white list .
2.1 Mobile phone white list setting method :
Cell phone manager -> Apply startup settings : Allow self starting 、 Allow association to start 、 Allow background startup 
2.2 Test environment
- Must be turned on GPS and WiFi Connect , And on again app To test
- home Back to the table , Screen off at least 30 Minutes or more , Then highlight the screen to view the message notification bar
2.2 dump Relevant command
2.2.1 adb shell dumpsys appops --op X
purpose X: Get mobile app location information
APP_OP_COARSE_LOCATION = 0
APP_OP_FINE_LOCATION = 1
APP_OP_MONITOR_LOCATION = 41
APP_OP_MONITOR_HIGH_POWER_LOCATION = 42
APP_OP_MOCK_LOCATION = 58
APP_OP_ACCESS_MEDIA_LOCATION = 90
APP_OP_FINE_LOCATION_SOURCE = 108
APP_OP_COARSE_LOCATION_SOURCE = 109
for example :adb shell dumpsys appops --op 41
$ adb shell dumpsys appops --op 41
Current AppOps Service state:
Settings:
top_state_settle_time=+5s0ms
fg_service_state_settle_time=+5s0ms
bg_state_settle_time=+1s0ms
Uid 1000:
state=pers
capability=LCMN
appWidgetVisible=false
Package android:
MONITOR_LOCATION (allow / switch COARSE_LOCATION=allow):
null=[
Access: [pers-s] 2022-04-22 17:43:07.078 (-5d4h11m26s922ms) duration=+35s984ms
]
SensorNotificationService=[
Access: [pers-s] 2022-04-20 22:12:25.441 (-6d23h42m8s559ms) duration=+2d0h15m48s945ms
]
GnssService=[
Access: [pers-s] 2022-04-22 17:43:28.020 (-5d4h11m5s980ms) duration=+9s997ms
]
2.2.2 adb shell dumpsys location
purpose X: Get mobile app location information
2.2 Run this apk
2.3 Log view
adb shell dumpsys appops --op 41
Uid u0a398:
state=top
startNesting=2
Package com.sufadi.blocaknetlocation:
MONITOR_LOCATION (allow / switch COARSE_LOCATION=allow):
Access: [top-s] 2022-06-06 13:57:20.258 (-1m31s751ms)
Running start at: +1m31s750ms
startNesting=1
3. apk Source code
Ben apk effect : Use only network location , But the background has been unlimited network location monitoring .
3.1 UI
3.2 Core logic
3.2.1 MainActivity
package com.sufadi.blocaknetlocation
import android.Manifest
import android.content.Intent
import android.content.pm.PackageManager
import androidx.appcompat.app.AppCompatActivity
import android.os.Bundle
import android.util.Log
import android.widget.Toast
import androidx.core.app.ActivityCompat
import androidx.core.content.ContextCompat
class MainActivity : AppCompatActivity() {
companion object {
val TAG = "blocaknetlocation_MainActivity"
val REQUES_CODE_OK = 200
}
override fun onCreate(savedInstanceState: Bundle?) {
super.onCreate(savedInstanceState)
setContentView(R.layout.activity_main)
applyPermission()
}
fun applyPermission() {
if(ContextCompat.checkSelfPermission(this, Manifest.permission.ACCESS_FINE_LOCATION) != PackageManager.PERMISSION_GRANTED
|| ContextCompat.checkSelfPermission(this, Manifest.permission.ACCESS_COARSE_LOCATION) != PackageManager.PERMISSION_GRANTED
|| ContextCompat.checkSelfPermission(this, Manifest.permission.ACCESS_BACKGROUND_LOCATION) != PackageManager.PERMISSION_GRANTED){// Location permission is not enabled
Log.d(TAG, "applyPermission")
ActivityCompat.requestPermissions(this, arrayOf(
Manifest.permission.ACCESS_FINE_LOCATION,
Manifest.permission.ACCESS_COARSE_LOCATION), REQUES_CODE_OK)
} else {
Log.d(TAG, "startService BlockNetLocationService")
startService(Intent(this, BlockNetLocationService::class.java))
}
}
override fun onRequestPermissionsResult(
requestCode: Int,
permissions: Array<String>,
grantResults: IntArray) {
when (requestCode) {
REQUES_CODE_OK-> if (grantResults.size == 2 &&
grantResults[0] == PackageManager.PERMISSION_GRANTED) {
for (grant in grantResults) {
Log.d(TAG, "grant: $grant")
}
ActivityCompat.requestPermissions(this, arrayOf(
Manifest.permission.ACCESS_BACKGROUND_LOCATION), REQUES_CODE_OK)
/*Toast.makeText([email protected], " Location permission is not enabled , Please manually go to the setting to open the permission ", Toast.LENGTH_LONG).show()
finish()*/
} else {
Log.d(TAG, "startService BlockNetLocationService 1")
startService(Intent(this, BlockNetLocationService::class.java))
}
}
super.onRequestPermissionsResult(requestCode, permissions, grantResults)
}
}
3.2.2 BlockNetLocationService
It mainly monitors network positioning
package com.sufadi.blocaknetlocation
import android.app.Notification
import android.app.NotificationChannel
import android.app.NotificationManager
import android.app.Service
import android.content.Context
import android.content.Intent
import android.location.Location
import android.location.LocationListener
import android.location.LocationManager
import android.os.Bundle
import android.os.IBinder
import android.util.Log
class BlockNetLocationService: Service() {
companion object {
val TAG = "BlockNetLocationService"
val FORGROUND_ID = 0x11
}
lateinit var locationManager: LocationManager
lateinit var netWorkListener: NetworkListener
override fun onBind(p0: Intent?): IBinder? {
return null
}
override fun onCreate() {
super.onCreate()
Log.d(TAG, "onCreate")
startMyForeground()
locationManager = getSystemService(Context.LOCATION_SERVICE) as LocationManager
netWorkListener = NetworkListener()
locationManager.requestLocationUpdates(LocationManager.NETWORK_PROVIDER, 1000L, 0f, netWorkListener)
}
override fun onDestroy() {
super.onDestroy()
locationManager.removeUpdates(netWorkListener)
stopForeground(true)
}
inner class NetworkListener : LocationListener {
// Change of position
override fun onLocationChanged(location: Location) {
val latitude = location.latitude// dimension
val longitude = location.longitude// longitude
// Displays the current coordinates
Log.d(TAG, " Network location location:($latitude,$longitude)")
}
// gps One of the satellites has not been found
override fun onStatusChanged(provider: String, status: Int, extras: Bundle) {
Log.d(TAG, " Network location onStatusChanged:provider$provider,status: $status, extras:$extras")
}
// A setting is turned on
override fun onProviderEnabled(provider: String) {
Log.d(TAG, " Network location onProviderEnabled$provider")
}
// A setting is turned off
override fun onProviderDisabled(provider: String) {
Log.d(TAG, " Network location onProviderDisabled$provider")
}
}
private fun startMyForeground() {
Log.d(TAG, "startMyForeground show notification")
Log.d(TAG, "PhoneDataService startMyForeground sdk :" + android.os.Build.VERSION.SDK_INT)
val nb = Notification.Builder(this)
if (android.os.Build.VERSION.SDK_INT >= 26) {
val CHANNEL_ONE_ID = "channel_id_foreground"
val CHANNEL_ONE_NAME = "Channel One"
var notificationChannel: NotificationChannel? = null
notificationChannel = NotificationChannel(
CHANNEL_ONE_ID,
CHANNEL_ONE_NAME, NotificationManager.IMPORTANCE_LOW
)
nb.setChannelId(CHANNEL_ONE_ID)
val manager = getSystemService(Context.NOTIFICATION_SERVICE) as NotificationManager
manager.createNotificationChannel(notificationChannel)
}
nb.setSmallIcon(R.mipmap.ic_launcher)
nb.setContentTitle(getString(R.string.notification_title))
nb.setContentText(getString(R.string.notification_Content))
try {
startForeground(FORGROUND_ID, nb.build())
} catch (e: Exception) {
e.printStackTrace()
}
}
}
3.3 Analysis that does not trigger message notification
2022-06-06 17:31:41.988 2490-3391/? I/APwActAnalysis: can not process the net location app: com.sufadi.blocaknetlocation
655 private void analyseNetLocationAct(AppPowerRecord arg18, long arg19) {
656 AppPowerActAnalysis v0 = this;
657 long v10 = arg18.getNetLocationTime();
658 int v12 = 12;
659 int v13 = arg18.getPowerLevel(v12);
660 String v14 = arg18.mAppName;
661 if(v13 == 2 || v13 == 3) {
662 AppActAnalyzer v15 = v0.getAnalyzer(v12);
663 if(v15 != null) {
664 v15.initActAnalyzer(v14, v10, arg19, 1, v13);
665 int v8 = v15.startActAnalyzer();
666 if(v8 == 1) {
667 Log.i("APwActAnalysis", "a abnormal net location app, K_L : " + v14);
668 v0.mAppPowerSave.dispatchAbnormalApp(v14, v12, v10, 1, arg19);
669 }
670 else if(v8 == -1) {
671 Log.i("APwActAnalysis", "net location high power app: " + v14 + " level: " + v13 + " duration:" + v10);
672 v0.mAppPowerSave.handleHighPowerApp(v14, v12, v10, arg19);
673 }
674 else {
675 Log.i("APwActAnalysis", "can not process the net location app: " + v14);
676 }
677 }
678 else {
679 v0.mAppPowerSave.handleHighPowerApp(v14, v12, v10, arg19);
680 }
681 }
682 }
27 public int startActAnalyzer() {
// isCtrlScope by false, be getOptimizeType = 0, And we demo app The Settings for 1,isCtrlScope by true
// isPrivilegeUserApp demo app Nor is it a dead application
// isImportantDefaultApp demo app Nor is it an important process
// isClockApp demo app Nor is it an alarm clock application
28 if (!isCtrlScope() || isPrivilegeUserApp() || isImportantDefaultApp() || isClockApp()) {
29 return 0;
30 }
31 int optimizeType = this.mIAppManager.getOptimizeType(this.mPkg);
32 if (optimizeType == 2) { // Intelligent automatic management
33 int i = this.mPowerLevel;
34 if ((i == 2 || i == 3) && NET_LOCATION_APPS_BLACK_LIST.contains(this.mPkg)) {
35 return 1;
36 }
37 return -1;
38 } else if (optimizeType != 3) { // Self starting is not allowed + Association start is not allowed + Background startup is not allowed
39 return -1;
40 } else {
41 int i2 = this.mPowerLevel;
42 if (i2 == 2 || i2 == 3) {
43 return 1;
44 }
45 return -1;
46 }
47 }
48 }
=================================================================================
1152 public boolean isCtrlScope(String str) {
1153 return getOptimizeType(str) != 0;
1154 }
1115 public int getOptimizeType(String str) {
1116 if (this.mSmartOptimizeApps.contains(str)) {
1117 return 2;
1118 }
1119 if (this.mAlwaysOptimizeApps.contains(str)) {
1120 return 3;
1121 }
1122 if (this.mNeverOptimizeApps.contains(str)) {
1123 return 1;
1124 }
1125 if ((!mHasThreeOptimize && DEBUG_USB) || mFeedbacKillSystemApps.contains(str) || this.mOutScopeCtrlApps.contains(str)) {
1126 return 2;
1127 }
1128 if (!this.mAppManager.asSmartOptimizeApp(str) || this.mSmartOptimizeHideApps.contains(str)) {
1129 return 0;
1130 }
1131 this.mOutScopeCtrlApps.add(str);
1132 Log.i("ApplistMgr", str + " as smart opt...");
1133 return 2;
1134 }
[email protected]:~$ adb shell dumpsys powergenius -a|grep "com.sufadi.blocaknetlocation"
mNeverOptimizeApps: [com.huawei.localBackup, com.huawei.appmarket, com.tencent.mm, com.sufadi.blockgps, com.sufadi.blocaknetlocation, com.unionpay, com.sufadi.blockalarm, com.huawei.hwid]
862 private void loadSmartOptHideAppsNew() {
863 List<String> appOptimizeType = AppAwareAdapter.getAppOptimizeType(new int[]{1, -1, -1, -1}, (int[]) null, new int[]{0, -1, -1, -1});
864 if (appOptimizeType != null) {
865 this.mSmartOptimizeHideApps.addAll(appOptimizeType);
866 Log.i("ApplistMgr", "mSmartOptimizeHideApps: " + this.mSmartOptimizeHideApps);
867 }
868 }
863 public boolean asSmartOptimizeApp(String str) {
864 String str2;
865 List users = this.mUserManager.getUsers();
866 if (users == null) {
867 Log.w(TAG, "users is null.");
868 return false;
869 }
870 ApplicationInfo applicationInfo = null;
871 Iterator it = users.iterator();
872 while (true) {
873 if (!it.hasNext()) {
874 break;
875 }
876 try {
877 applicationInfo = this.mPM.getApplicationInfoAsUser(str, 0, ((UserInfo) it.next()).id);
878 break;
879 } catch (PackageManager.NameNotFoundException unused) {
880 } catch (RuntimeException e) {
881 Log.e(TAG, "RuntimeException: ", e);
882 } catch (Exception e2) {
883 Log.e(TAG, "Exception: ", e2);
884 }
885 }
886 if (!isSystemApp(applicationInfo)) {
887 return true;
888 }
// Third party application directories that can be deleted
889 if (applicationInfo == null || (str2 = applicationInfo.sourceDir) == null || !str2.contains("/system/delapp")) {
890 return false;
891 }
892 return true;
893 }
=================================================================================
154 private static final ArrayList<String> mPrivilegeUserApps = new ArrayList<String>() {
155 {
156 add("com.whatsapp");
157 add("com.facebook.katana");
158 add("com.facebook.orca");
159 add("com.tencent.mm");
160 add("jp.netstar.familysmile");
161 add("com.nttdocomo.android.gesturecontrol");
162 add("jp.softbank.mb.parentalcontrols");
163 }
164 };
=================================================================================
133 public boolean isImportantDefaultApp() {
134 String stringForUser;
135 String defaultLauncher = this.mIAppType.getDefaultLauncher();
136 if (defaultLauncher != null && defaultLauncher.equals(this.mPkg)) {
137 return true;
138 }
139 String usingLauncher = this.mIAppType.getUsingLauncher();
140 if (usingLauncher != null && usingLauncher.equals(this.mPkg)) {
141 return true;
142 }
143 String curLiveWallpaper = this.mIAppType.getCurLiveWallpaper();
144 if (curLiveWallpaper != null && curLiveWallpaper.equals(this.mPkg)) {
145 return true;
146 }
147 String defaultInputMethod = this.mIAppType.getDefaultInputMethod();
148 if (defaultInputMethod != null && defaultInputMethod.equals(this.mPkg)) {
149 return true;
150 }
151 String defaultSmsApplication = this.mIAppType.getDefaultSmsApplication();
152 if (defaultSmsApplication != null && defaultSmsApplication.equals(this.mPkg)) {
153 return true;
154 }
155 int curUserId = this.mIAppManager.getCurUserId();
156 if (curUserId == 0 || (stringForUser = Settings.Secure.getStringForUser(this.mContext.getContentResolver(), "sms_default_application", curUserId)) == null || !stringForUser.equals(this.mPkg)) {
157 return false;
158 }
159 return true;
160 }
426 public static String getDefaultSmsApplication(Context context) {
427 try {
428 ComponentName component = (ComponentName) ReflectUtils.invokeMethod("getDefaultSmsApplication", "com.android.internal.telephony.SmsApplication", new Object[]{context, Boolean.valueOf(false)});
429 if (component == null) {
430 return null;
431 }
432 String defaultSmsPackage = component.getPackageName();
433 Log.i("CommonAdapter", "defaultSmsApplication: " + defaultSmsPackage);
434 return defaultSmsPackage;
435 } catch (Exception e) {
436 Log.w("CommonAdapter", "no method getDefaultSmsApplication");
437 return null;
438 }
439 }
adb shell settings get secure sms_default_application
com.android.mms
adb shell pm list users Users
Users:
UserInfo{0:+86 132 6685 2358:13} running
2022-06-08 11:36:54.276 2494-3513/? I/SmsApplication: updatedNeeded = false for userId = 0
2022-06-08 11:36:54.283 2494-3513/? I/CommonAdapter: defaultSmsApplication: com.android.mms
2022-06-08 11:36:54.284 2494-3513/? I/APwActAnalysis: can not process the net location app: com.game.map.email.alarm.network
=================================================================================
162 /* access modifiers changed from: protected */
163 public boolean isClockApp() {
164 if ("com.android.deskclock".equals(this.mPkg) || "com.huawei.deskclock".equals(this.mPkg) || "com.huawei.calendar".equals(this.mPkg) || "com.android.calendar".equals(this.mPkg)) {
165 return true;
166 }
167 ArrayList<String> appsByType = this.mIAppType.getAppsByType(10);
168 if (appsByType == null || appsByType.size() <= 0 || !appsByType.contains(this.mPkg)) {
169 return false;
170 }
171 return true;
172 }
2022-06-08 11:42:54.943 2494-3513/? I/APwActAnalysis: can not process the net location app: com.game.map.email.alarm.network
APwActAnalysis|com.sufadi.blocaknetlocation|AppPowerMonitor
边栏推荐
- canvas 高级功能(上)
- When can Flink support the SQL client mode? When can I specify the applicati for submitting tasks to yarn
- 2台电脑共享一套键盘鼠标
- AttributeError: module ‘collections‘ has no attribute ‘MutableMapping‘
- LeetCode:497. 非重叠矩形中的随机点————中等
- js基础及常考面试题之 [] == ![]结果为true, []==[]结果为false 详解
- Elastic-Job的快速入门,三分钟带你体验分布式定时任务
- 玩艺术也得学数学?
- 电子招标采购商城系统:优化传统采购业务,提速企业数字化升级
- Quick start to elastic job, three minutes to experience distributed scheduled tasks
猜你喜欢
synergy: server refused client with our name
Tutoriel Microsoft Word "5", comment changer les marges de page et créer une barre de nouvelles en word?
Canvas advanced functions (medium)
LeetCode:1037. 有效的回旋镖————简单
CET-6 - Business English - the last recitation before the test
国庆期间给大家推荐一个可能会成为2019最佳的CRUD工具
Service management and communication, basic principle analysis
Error code 1129, state HY000, host 'xxx' is blocked because of many connection errors
canvas 高级功能(上)
PDF. JS - - - - JS analyse le fichier PDF pour réaliser l'aperçu et obtenir le contenu du fichier PDF (sous forme de tableau)
随机推荐
Mixin -- mixed
国庆期间给大家推荐一个可能会成为2019最佳的CRUD工具
"Bug" problem analysisruntimeerror:which is output 0 of resubackward0
KCon 2022 议题大众评选火热进行中!不要错过“心仪”的议题哦~
C language floating point number storage form
pdf.js-----js解析pdf文件實現預覽,並獲取pdf文件中的內容(數組形式)
Microsoft Word tutorial, how to change page orientation and add borders to pages in word?
AttributeError: module ‘collections‘ has no attribute ‘MutableMapping‘
2 pcs share a set of keyboard and mouse
js基础及常考面试题之 [] == ![]结果为true, []==[]结果为false 详解
江波龙 FORESEE XP2000 PCIe 4.0 SSD 多重加密功能,锁定数据安全
Tutoriel Microsoft Word "5", comment changer les marges de page et créer une barre de nouvelles en word?
Cloud native community boss blog
AttributeError: module ‘collections‘ has no attribute ‘MutableMapping‘
MySQL Basics
在阿里云国际上使用 OSS 和 CDN 部署静态网站
canvas 高级功能(中)
力扣1082,1084题解_sql查询类型的题目
How to realize face verification quickly and accurately?
You have to learn math to play art?