android应用安全分析
应用名 :OKEx(OKEx-android.apk)
包名 :com.okinc.okex
MD5 :1ffbd328d13e91b661592cdf58516bd2
版本 :1.7.8
加固信息 : 未加固
详细信息:
所有者: CN=OK inc., OU=OK inc., O=OK inc., L=Beijing, ST=Beijing, C=CN
发布者: CN=OK inc., OU=OK inc., O=OK inc., L=Beijing, ST=Beijing, C=CN
序列号: 3bd2d760
有效期开始日期: Tue Dec 20 15:39:29 CST 2016, 截止日期: Thu Nov 26 15:39:29 CST 2116
证书指纹:
MD5: C6:96:EB:AA:58:BA:B0:A1:EB:E8:B3:D2:65:D0:89:28
SHA1: 46:17:0C:99:DC:92:90:BA:D5:F3:CD:F6:C1:30:D8:42:5D:93:6D:77
SHA256: 77:B9:67:49:D8:F5:A4:F0:79:AB:17:36:18:4A:1B:D2:87:0D:02:CA:14:CD:1C:A9:FF:BD:A8:1A:CB:65:10:E9
签名算法名称: SHA256withRSA
版本: 3
扩展:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 47 E8 D6 8A 5C E3 77 F8 1F 28 49 7D C6 BF 9F 36 G....w..(I....6
0010: DE 2D 41 1D .-A.
]
]
keytool -printcert -file /Users/liuhailong/Desktop/OKEx-android/META-INF/CERT.RSA receiver
com.taobao.accs.ServiceReceiver
com.taobao.accs.EventReceiver
com.taobao.agoo.AgooCommondReceiver
com.umeng.message.NotificationProxyBroadcastReceiver
com.just.library.RealDownLoader$NotificationBroadcastReceiver
com.alibaba.sdk.android.feedback.impl.NetworkChangeReceiver
provider
cn.udesk.provider.UdeskFileProvider
com.umeng.message.provider.MessageProvider
com.tencent.bugly.beta.utils.BuglyFileProvider
com.just.library.AgentWebFileProvider
service
com.umeng.message.UmengMessageIntentReceiverService
com.taobao.accs.ChannelService
com.umeng.message.UmengIntentService
com.umeng.message.XiaomiIntentService
com.taobao.accs.data.MsgDistributeService
org.android.agoo.accs.AgooService
com.tencent.tinker.lib.service.TinkerPatchService$InnerService
com.taobao.accs.ChannelService$KernelService
com.taobao.accs.internal.AccsJobService
com.tencent.bugly.beta.tinker.TinkerResultService
com.alibaba.mtl.appmonitor.AppMonitorService
com.tencent.tinker.lib.service.DefaultTinkerResultService
com.umeng.message.UmengMessageCallbackHandlerService
com.tencent.tinker.lib.service.TinkerPatchService
com.umeng.message.UmengDownloadResourceService
activity
com.lanmang.sharelib.wxapi.WXEntryActivity
com.mob.tools.MobUIShell
com.okinc.okex.ui.WelcomeActivity
com.okinc.okex.ui.SchemeActivity
com.tencent.tinker.loader.hotplug.ActivityStubs$SIStub_09
com.okinc.okex.ui.mine.futures.FuturesBillEntrustActivity
com.okinc.okex.ui.futures.menu.FuturesTransactionsActivity
com.tencent.tinker.loader.hotplug.ActivityStubs$SIStub_08
com.tencent.tinker.loader.hotplug.ActivityStubs$SIStub_01
com.okinc.okex.ui.mine.rate.ExchangeRateActivity
com.tencent.tinker.loader.hotplug.ActivityStubs$SIStub_03
com.okinc.okex.ui.mine.login.forgetpwd.ForgetPwdActivity
com.tencent.tinker.loader.hotplug.ActivityStubs$SIStub_05
com.tencent.tinker.loader.hotplug.ActivityStubs$SIStub_04
com.tencent.tinker.loader.hotplug.ActivityStubs$SIStub_07
com.tencent.tinker.loader.hotplug.ActivityStubs$SIStub_06
com.okinc.okex.ui.futures.menu.FuturesSettingsActivity
com.okinc.okex.ui.mine.security.TradePwdActivity
com.okinc.okex.ui.otc.b2c.customer.order.proof.OtcOrderProofUploadActivity
com.okinc.okex.ui.mine.asset.ResultActivity
com.okinc.okex.ui.mine.asset.AssetsActivity
com.tencent.tinker.loader.hotplug.ActivityStubs$STDStub_00_T
com.tencent.tinker.loader.hotplug.ActivityStubs$SIStub_00
com.okinc.okex.ui.otc.b2c.customer.order.detail.OtcOrderDetailActivity
com.tencent.tinker.loader.hotplug.ActivityStubs$SIStub_00_T
com.tencent.tinker.loader.hotplug.ActivityStubs$SGTStub_02_T
com.okinc.okex.ui.futures.menu.FuturesOrderHistoryActivity
pub.devrel.easypermissions.AppSettingsDialogHolderActivity
com.okinc.okex.ui.mine.about.JoinGroupActivity
com.tencent.tinker.loader.hotplug.ActivityStubs$SGTStub_09
com.okinc.okex.ui.kyc.record.RecordActivity
com.okinc.okex.ui.mine.spot.SpotBillEntrustActivity
com.tencent.tinker.loader.hotplug.ActivityStubs$SGTStub_02
com.tencent.tinker.loader.hotplug.ActivityStubs$SGTStub_03
com.tencent.tinker.loader.hotplug.ActivityStubs$SGTStub_00
com.tencent.tinker.loader.hotplug.ActivityStubs$SGTStub_01
com.tencent.tinker.loader.hotplug.ActivityStubs$SGTStub_06
com.tencent.tinker.loader.hotplug.ActivityStubs$SGTStub_07
com.tencent.tinker.loader.hotplug.ActivityStubs$SGTStub_04
com.tencent.tinker.loader.hotplug.ActivityStubs$SGTStub_05
com.tencent.tinker.loader.hotplug.ActivityStubs$SGTKStub_08
com.tencent.tinker.loader.hotplug.ActivityStubs$SGTKStub_09
com.okinc.okex.ui.mine.asset.SpotAssetsActivity
com.tencent.tinker.loader.hotplug.ActivityStubs$SGTKStub_05
com.okinc.okex.ui.futures.menu.liquidation.LiquidationActivity
com.tencent.tinker.loader.hotplug.ActivityStubs$SGTKStub_07
com.tencent.tinker.loader.hotplug.ActivityStubs$SGTKStub_00
com.tencent.tinker.loader.hotplug.ActivityStubs$SGTKStub_01
com.okinc.okex.ui.mine.rate.RateActivity
com.tencent.tinker.loader.hotplug.ActivityStubs$SGTKStub_03
com.tencent.tinker.loader.hotplug.ActivityStubs$SGTKStub_04
com.tencent.tinker.loader.hotplug.ActivityStubs$SIStub_02_T
com.okinc.okex.ui.otc.b2c.customer.order.OtcOrderActivity
com.okinc.okex.ui.mine.SpotHistoryActivity
com.okinc.okex.ui.mine.address.AddressManageActivity
cn.udesk.activity.UdeskHelperActivity
com.okinc.okex.ui.home.base.HomeActionActivity
com.tencent.tinker.loader.hotplug.ActivityStubs$STDStub_05
com.okinc.okex.ui.mine.AccountSelectActivity
com.tencent.tinker.loader.hotplug.ActivityStubs$STDStub_07
com.okinc.okex.ui.spot.orderhistory.OrderHistoryActivity
com.tencent.tinker.loader.hotplug.ActivityStubs$STDStub_01
cn.udesk.activity.UdeskOptionsAgentGroupActivity
com.tencent.tinker.loader.hotplug.ActivityStubs$STDStub_03
com.tencent.tinker.loader.hotplug.ActivityStubs$STDStub_02
com.okinc.okex.ui.mine.address.AddressAddActivity
com.tencent.tinker.loader.hotplug.ActivityStubs$STDStub_08
com.okinc.okex.ui.kyc.senior.SeniorActivity
com.okinc.okex.ui.market.remind.PriceRemindSetActivity
com.okinc.okex.ui.market.kline.ui.ChartActivity
com.okinc.okex.ui.mine.spot.MarginLoanActivity
com.okinc.okex.ui.otc.c2c.trade.publish.C2CTradePlaceOrderActivity
com.okinc.okex.ui.otc.b2c.customer.order.proof.OtcOrderProofActivity
com.okinc.okex.ui.kyc.normal.NormalCertificationActivity
com.okinc.okex.ui.futures.menu.FuturesSelectActivity
com.okinc.okex.ui.otc.b2c.OtcActivity
com.okinc.okex.ui.mine.security.BindPhoneActivity
com.tencent.tinker.loader.hotplug.ActivityStubs$SIStub_01_T
com.okinc.okex.ui.mine.asset.AssetsTransferActivity
com.tencent.tinker.loader.hotplug.ActivityStubs$STDStub_01_T
com.okinc.okex.ui.mine.delivery.DeliveryHistoryActivity
com.okinc.okex.ui.mine.asset.TransferActivity
cn.udesk.activity.UdeskFormActivity
com.okinc.okex.ui.mine.asset.RechargeHisActivity
com.okinc.okex.ui.mine.setting.SystemSettingActivity
com.okinc.okex.ui.otc.OtcLegalListActivity
com.tencent.tinker.loader.hotplug.ActivityStubs$SGTKStub_00_T
cn.udesk.activity.UdeskSurvyDialogActivity
com.okinc.okex.ui.mine.asset.OtcAssetsActivity
cn.udesk.activity.UdeskHelperArticleActivity
com.okinc.okex.ui.otc.c2c.C2CActivity
com.okinc.okex.ui.otc.b2c.customer.account.PaySettingsActivity
com.okinc.okex.ui.mine.asset.LeverageAssetsActivity
com.tencent.tinker.loader.hotplug.ActivityStubs$STDStub_09
com.okinc.okex.ui.kyc.record.upload.UploadListActivity
com.okinc.okex.ui.otc.c2c.trade.publish.C2CTradePublishActivity
cn.udesk.activity.UdeskChatActivity
com.okinc.okex.ui.otc.b2c.customer.account.PaymentSettingsActivity
com.okinc.okex.ui.mine.gesture.GestureSetActivity
com.tencent.tinker.loader.hotplug.ActivityStubs$STDStub_02_T
com.okinc.okex.ui.futures.select.CoinSelectActivity
com.tencent.tinker.loader.hotplug.ActivityStubs$SGTStub_01_T
com.okinc.okex.ui.otc.b2c.vendor.data.setting.OtcCollectionSettingActivity
com.okinc.okex.ui.kyc.KycActivity
com.okinc.okex.ui.otc.c2c.trade.receivingtime.OrderReceivingTimeActivity
com.okinc.okex.ui.mine.rate.ExchangeRateHisActivity
com.okinc.okex.ui.mine.feerate.FeeRateActivity
com.tencent.tinker.loader.hotplug.ActivityStubs$SGTKStub_02
com.okinc.okex.ui.mine.asset.RechargeActivity
com.okinc.okex.ui.otc.b2c.customer.account.AddBankCardActivity
cn.udesk.activity.UdeskZoomImageActivty
com.okinc.okex.ui.mine.login.RegisterActivity
com.tencent.tinker.loader.hotplug.ActivityStubs$SGTKStub_02_T
com.okinc.okex.ui.futures.menu.FuturesOverviewActivity
com.okinc.okex.ui.otc.c2c.order.detail.C2COrderDetailActivity
com.tencent.bugly.beta.ui.BetaActivity
com.okinc.okex.ui.spot.TestActivity
com.okinc.okex.ui.DebugActivity
com.tencent.tinker.loader.hotplug.ActivityStubs$STDStub_04
com.okinc.okex.ui.mine.MineActivity
com.okinc.okex.ui.MainActivity
com.okinc.okex.ui.mine.security.SecurityActivity
com.okinc.okex.ui.otc.b2c.customer.account.OtcTransferActivity
com.tencent.tinker.loader.hotplug.ActivityStubs$STDStub_06
com.okinc.okex.ui.mine.SpotOrderFullActivity
com.alibaba.sdk.android.feedback.windvane.CustomHybirdActivity
com.just.library.ActionActivity
com.tencent.tinker.loader.hotplug.ActivityStubs$STDStub_00
com.tencent.tinker.loader.hotplug.ActivityStubs$SIStub_02
com.okinc.okex.ui.otc.c2c.order.C2COrderProofUploadActivity
com.okinc.okex.ui.futures.menu.FuturesSelectAccountModeActivity
com.okinc.okex.ui.WebActivity
com.okinc.okex.ui.mine.asset.WithdrawHisActivity
com.okinc.okex.ui.search.SearchActivity
com.okinc.okex.ui.mine.asset.LeverageHistoryActivity
cn.udesk.activity.UdeskWebViewUrlAcivity
com.okinc.okex.ui.market.remind.PriceRemindV2Activity
com.okinc.okex.ui.market.remind.PriceRemindActivity
com.okinc.okex.ui.mine.gesture.GestureVerifyActivity
com.okinc.okex.ui.mine.login.LoginActivity
com.tencent.tinker.loader.hotplug.ActivityStubs$SGTKStub_01_T
com.okinc.okex.ui.futures.menu.FuturesLeverRateSelectActivity
com.okinc.okex.ui.mine.security.BindEmailActivity
com.okinc.okex.ui.mine.asset.WithdrawActivity
com.okinc.okex.ui.mine.about.AboutActivity
com.okinc.okex.ui.spot.margin.OpenMarginActivity
cn.udesk.activity.UdeskRobotActivity
com.alibaba.sdk.android.feedback.impl.ErrorPageActivity
com.okinc.okex.ui.otc.b2c.vendor.data.setting.OtcFundsSettingActivity
com.tencent.tinker.loader.hotplug.ActivityStubs$SGTKStub_06
com.tencent.tinker.loader.hotplug.ActivityStubs$SGTStub_08
com.okinc.okex.ui.mine.statement.AccountStatementActivity
com.okinc.okex.ui.futures.menu.calculator.FuturesCalculatorActivity
com.okinc.okex.ui.otc.b2c.vendor.data.setting.OtcDealSettingActivity
com.tencent.tinker.loader.hotplug.ActivityStubs$SGTStub_00_T
所有权限
程序中存在以下敏感权限
android.permission.READ_PHONE_STATE 允许访问电话状态、设备信息
android.permission.READ_LOGS 允许读取敏感日志数据android.permission.CALL_PHONE 允许直接拨打电话android.permission.CAMERA 允许访问摄像头拍照android.permission.RECORD_AUDIO 允许录音android.permission.GET_TASKS 允许获取应用列表android.permission.RECEIVE_BOOT_COMPLETED 允许程序开机自动运行
android.permission.BLUETOOTH 允许使用蓝牙连接配对过的设备android.permission.ACCESS_FINE_LOCATION 允许访问精确位置信息
android.permission.ACCESS_COARSE_LOCATION 允许访问大概位置信息
android.permission.GET_ACCOUNTS 允许访问账户Gmail列表
存在的漏洞
Web组件远程代码执行漏洞
详细内容:
以下危险api可通过webview对象向页面javascript导出java本地接口,可能导致任意命令执行
详细内容:
以下危险api可通过webview对象向页面javascript导出java本地接口,可能导致任意命令执行
com/alibaba/sdk/android/feedback/xblink/webview/XBHybridWebView addJavascriptInterface(Object paramObject, String paramString)| super.addJavascriptInterface(paramObject, paramString);
com/just/library/AgentWebView void addJavascriptInterface(Object paramObject, String paramString)|super.addJavascriptInterface(paramObject, paramString);
修复建议:
建议禁用危险接口addJavascriptInterface导出Java类及方法,并加强访问的url的域控制。
https敏感数据劫持漏洞
详细内容:
以下危险api不正确使用https相关函数,可能引发通信加密失效,导致敏感数据泄漏
anet/channel/util/b/b/a.java void checkServerTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString)
anet/channel/util/b/a boolean verify(String paramString, SSLSession paramSSLSession)
修复建议:
建议对自定义的X509TrustManager实现对证书的严格校验;setHostnameVerifier接口请设置安全选项级别,如STRICT_HOSTNAME_VERIFIER
系统组件本地拒绝服务漏洞检测
详细内容:
以下组件存在本地拒绝服务漏洞
com.okinc.okex.ui.WelcomeActivity { 利用代码片段(poc):
Intent intent=new Intent();
intent.setComponent(new ComponentName("com.okinc.okex", "com.okinc.okex.ui.WelcomeActivity"));
intent.putExtra("anykey",new AnySerializableClass());
startActivity(intent); }
修复建议:
注册的组件请严格校验输入参数,注意空值判定和类型转换判断,防止由于异常输入导致的应用崩溃
安全风险
webview启用访问文件数据
描述:
Webview中使用setAllowFileAccess(true),App可通过webview访问私有目录下的文件数据。在Android中,mWebView.setAllowFileAccess(true)为默认设置。当setAllowFileAccess(true)时,在File域下,可执行任意的JavaScript代码,如果绕过同源策略能够对私有目录文件进行访问,导致用户隐私泄漏。
位置:
类com/okinc/okex/ui/WebActivity 的 m()方法
位置:
类com/just/library/WebDefaultSettingsManager 的settings()方法
SSL通信服务端检测信任任意证书
描述:
自定义SSL x509 TrustManager,重写checkServerTrusted方法,方法内不做任何服务端的证书校验。×××可以使用中间人×××获取加密内容。
位置:
anet/channel/util/b/b/a的 checkServerTrusted()方法
动态注册广播
描述:
使用registerReceiver动态注册的广播在组件的生命周期里是默认导出的。导出的广播可以导致拒绝服务、数据泄漏或是越权调用。
位置:
类 方法
anet/channel/status/b a()
com/bumptech/glide/manager/e a()
Intent Scheme URLs×××
描述:
在AndroidManifast.xml设置Scheme协议之后,可以通过浏览器打开对应的Activity。×××者通过访问浏览器构造Intent语法唤起app相应组件,轻则引起拒绝服务,重则可能演变为提权漏洞。
位置:
com/just/library/DefaultWebClient handleIntentUrl()
隐式意图调用
描述:
封装Intent时采用隐式设置,只设定action,未限定具体的接收对象,导致Intent可被其他应用获取并读取其中数据。Intent隐式调用发送的意图可能被第三方劫持,可能导致内部隐私数据泄露。
位置:
cn/sharesdk/sina/weibo/a c()
com/umeng/message/common/UmengMessageDeviceConfig getServiceName
cn/sharesdk/sina/weibo/a onCreate()
unzip解压缩(ZipperDown)
描述:
解压 zip文件,使用getName()获取压缩文件名后未对名称进行校验。×××者可构造恶意zip文件,被解压的文件将会进行目录跳转被解压到其他目录,覆盖相应文件导致任意代码执行。
位置:
com/tencent/tinker/lib/patch/DexDiffPatchInternal patchDexFile()
org/android/spdy/SoInstallMgrSdk unZipSelectedFiles()
com/alibaba/wireless/security/framework/b h()
so 文件
libsgmain.so (实则为一个 apk)
用 zip解压
未加壳的so 文件有:
libBugly.so
动态链接库中包含执行命令函数 execl
libcocklogic-1.1.3.so popen
libgifimage.so
libimagepipeline.so
libtnet-3.1.11.so
其它 apk 分析:(libsgmain.so)
应用名 :MainPlugin
包名 :com.alibaba.wireless.security.mainplugin
MD5 :0af0264e5bc6c858f491644a8207ea31
版本 :5.1.96
加固信息 : 未加固
详细信息
所有者: CN=Alibaba, OU=Alibaba, O=WirelessSecurity, L=HangZhou, ST=ZheJiang, C=CN
发布者: CN=Alibaba, OU=Alibaba, O=WirelessSecurity, L=HangZhou, ST=ZheJiang, C=CN
序列号: 360b09ce
有效期开始日期: Tue Dec 22 15:28:26 CST 2015, 截止日期: Wed Sep 24 15:28:26 CST 2070
证书指纹:
MD5: 18:D1:9F:89:7E:B3:00:FD:24:C7:60:82:43:9F:75:32
SHA1: 09:6E:E5:04:E8:86:25:18:BE:2A:16:6C:93:F9:D7:9E:F3:95:36:65
SHA256: A3:3C:43:56:99:EC:C2:29:AE:BB:7C:24:1A:FA:84:4D:67:39:05:A2:9A:57:ED:46:D2:CF:A5:93:E4:8B:97:99
签名算法名称: SHA256withRSA
版本: 3
扩展:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: EE 9D 52 04 DC 77 27 8A D0 84 39 98 7F 59 05 7F ..R..w'...9..Y..
0010: 6C B7 AB A2 l...
]
]
转载于:https://blog.51cto.com/haidragon/2157824