Android5.1.1 - APK签名校验分析和修改源码绕过签名校验

为什么80%的码农都做不了架构师?>>>   hot3.png

Android5.1.1 - APK签名校验分析和修改源码绕过签名校验

@(Android研究)[APK签名校验|绕过签名校验]

不歪博客:http://my.oschina.net/ibuwai/blog

本文公开首发于阿里聚安全博客:https://jaq.alibaba.com/community/index.htm?spm=0.0.0.0.ycEUXK

APK签名校验分析

找到PackageParser类,该类在文件"frameworks/base/core/java/android/content/pm/PackageParser.java"中。PackageParser类的collectCertificates方法会对APK进行签名校验,在该方法会遍历APK中的所有文件,并对每个文件进行校验。下面是该方法的部分源码:

private static void collectCertificates(Package pkg, File apkFile, int flags)
        throws PackageParserException {
    final String apkPath = apkFile.getAbsolutePath();

    StrictJarFile jarFile = null;
    try {
        jarFile = new StrictJarFile(apkPath);

        ......

        // Verify that entries are signed consistently with the first entry
        // we encountered. Note that for splits, certificates may have
        // already been populated during an earlier parse of a base APK.
        for (ZipEntry entry : toVerify) {
            final Certificate[][] entryCerts = loadCertificates(jarFile, entry);
            if (ArrayUtils.isEmpty(entryCerts)) {
                throw new PackageParserException(INSTALL_PARSE_FAILED_NO_CERTIFICATES,
                    "Package " + apkPath + " has no certificates at entry "
                    + entry.getName());
            }
            
            ......
        }
    }
    ......
}

APK是一个ZIP格式的文件所以使用ZIP相关的类进行读写。上面代码中调用了loadCertificates方法,这个方法返回一个二维数组,如果APK中的文件签名校验失败那么loadCertificates方法会返回一个空数组(可能是null,可能是数组长度为0),按照上面代码的逻辑如果数组为空则会抛出异常。

loadCertificates方法的代码见下:

private static Certificate[][] loadCertificates(StrictJarFile jarFile, ZipEntry entry)
        throws PackageParserException {
    InputStream is = null;
    try {
        // We must read the stream for the JarEntry to retrieve
        // its certificates.
        is = jarFile.getInputStream(entry);
        readFullyIgnoringContents(is);
        return jarFile.getCertificateChains(entry);
    } catch (IOException | RuntimeException e) {
        throw new PackageParserException(INSTALL_PARSE_FAILED_UNEXPECTED_EXCEPTION,
            "Failed reading " + entry.getName() + " in " + jarFile, e);
    } finally {
        IoUtils.closeQuietly(is);
    }
}

上面代码中is是JarFile.JarFileInputStream类的对象。loadCertificates方法中调用了readFullyIgnoringContents方法,在readFullyIgnoringContents方法中会调用JarFile.JarFileInputStream.read方法读取APK中一项的数据,在read方法中会校验读取到的数据项的签名,如果签名校验失败,则会抛出SecurityException类型的异常,即签名校验失败。

JarFile类在"libcore/luni/src/main/java/java/util/jar/JarFile.java"文件中。

上面代码中调用了StrictJarFile.getCertificateChains方法,下面是它的代码:

public Certificate[][] getCertificateChains(ZipEntry ze) {
    if (isSigned) {
        return verifier.getCertificateChains(ze.getName());
    }

    return null;
}

StrictJarFile类在文件"libcore/luni/src/main/java/java/util/jar/StrictJarFile.java"中。

上面代码中isSigned的值是这么来的:

public StrictJarFile(String fileName) throws IOException {
    this.nativeHandle = nativeOpenJarFile(fileName);
    this.raf = new RandomAccessFile(fileName, "r");

    try {
        ......
        this.verifier = new JarVerifier(fileName, manifest, metaEntries);

        isSigned = verifier.readCertificates() && verifier.isSignedJar();
    } catch (IOException ioe) {
        nativeClose(this.nativeHandle);
        throw ioe;
    }

    guard.open("close");
}

当证书读取成功,并且当前APK经过了签名,则isSigned为true。

回到StrictJarFile.getCertificateChains方法中,当isSigned为true时会调用JarVerifier.getCertificateChains方法,下面是它的代码:

Certificate[][] getCertificateChains(String name) {
    return verifiedEntries.get(name);
}

下面是类成员变量verifiedEntries的声明:

private final Hashtable verifiedEntries =
        new Hashtable();

verifiedEntries是一个键值对,键是APK中经过了签名的文件名,如:classes.dex文件,值是证书数组。如果向已经签过名的APK中新添加一个文件然后安装这个APK,当程序逻辑执行到JarVerifier.getCertificateChains方法中时,在verifiedEntries变量中无法找到新添加的文件名(因为这个新文件是在APK签名之后添加),那么JarVerifier.getCertificateChains方法将返回null。

绕过签名校验

源码修改点一

找到PackageParser.loadCertificates方法,下面是部分源码:

private static Certificate[][] loadCertificates(StrictJarFile jarFile, ZipEntry entry)
        throws PackageParserException {
    ......
    try {
        ......
    } catch (IOException | RuntimeException e) {
        throw new PackageParserException(INSTALL_PARSE_FAILED_UNEXPECTED_EXCEPTION,
            "Failed reading " + entry.getName() + " in " + jarFile, e);
        }
    } finally {
        IoUtils.closeQuietly(is);
    }
}

将上面代码catch块中的throw语句替换为:return null;

下面是修改后的代码:

private static Certificate[][] loadCertificates(StrictJarFile jarFile, ZipEntry entry)
        throws PackageParserException {
    InputStream is = null;
    try {
        ......
    } catch (IOException | RuntimeException e) {
        return null;
    } finally {
        IoUtils.closeQuietly(is);
    }
}

代码修改完后,当APK中文件签名校验失败时不会抛出异常,APK还会继续安装。

源码修改点二

找到PackageParser.collectCertificates方法,找到代码中调用loadCertificates方法的地方:

private static void collectCertificates(Package pkg, File apkFile, int flags)
        throws PackageParserException {
    ......
    try {
        ......

        for (ZipEntry entry : toVerify) {
            final Certificate[][] entryCerts = loadCertificates(jarFile, entry);
            if (ArrayUtils.isEmpty(entryCerts)) {
                throw new PackageParserException(INSTALL_PARSE_FAILED_NO_CERTIFICATES,
                    "Package " + apkPath + " has no certificates at entry "
                    + entry.getName());
            }
            ......
        }
    }......
}    

将上面的throw语句替换为:continue;

修改后的代码:

private static void collectCertificates(Package pkg, File apkFile, int flags)
        throws PackageParserException {
    ......
    try {
        ......

        for (ZipEntry entry : toVerify) {
            final Certificate[][] entryCerts = loadCertificates(jarFile, entry);
            if (ArrayUtils.isEmpty(entryCerts)) {
                continue;
            }
            ......
        }
    }......
}    

代码修改完后,当遇到APK中没有经过签名的文件时不会抛出异常,APK还会继续安装。

转载于:https://my.oschina.net/ibuwai/blog/717962

你可能感兴趣的:(Android5.1.1 - APK签名校验分析和修改源码绕过签名校验)