【干货】Android系统定制基础篇:第十七部分(仅允许安装指定签名APK、U盘APP无法访问到U盘中音频文件)
一、Android仅允许安装指定签名APK
仅允许安装特定签名 APK,其它签名 APK 禁止安装。
修改
PackageManagerService 中安装 APK 时获取待安装 APK 签名信息,对比签名是否匹配,匹配安装,不匹配返回。
shenhb@dqrd01:~/code/rk3288$ git show 814c25ddd422f8f44a3de9451ef25e296a298ea0
commit 814c25ddd422f8f44a3de9451ef25e296a298ea0
Author: shenhb <shenhb@topband.com.cn>
Date: Thu Feb 20 11:31:19 2020 +0800
仅允许安装指定签名apk,通过属性ro.signature配置签名sha1值
diff --git a/frameworks/base/services/core/java/com/android/server/pm/PackageManagerService.java b/frameworks/base
index b7171ba..414a064 100755
--- a/frameworks/base/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/frameworks/base/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -355,6 +355,7 @@ import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.zip.GZIPInputStream;
+import java.util.Locale;
/**
* Keep track of all those APKs everywhere.
@@ -18605,6 +18606,37 @@ public class PackageManagerService extends IPackageManager.Stub
Trace.traceEnd(TRACE_TAG_PACKAGE_MANAGER);
}
+ // Add by [email protected], for only allow the specified signature apk.
+ private static String getFingerprint(Signature signature, String hashAlgorithm) {
+ if (signature == null) {
+ return null;
+ }
+ try {
+ MessageDigest digest = MessageDigest.getInstance(hashAlgorithm);
+ return toHexadecimalString(digest.digest(signature.toByteArray()));
+ } catch (NoSuchAlgorithmException e) {
+ // ignore
+ }
+ return null;
+ }
+
+ private static String toHexadecimalString(byte[] value) {
+ StringBuffer sb = new StringBuffer();
+ int len = value.length;
+ for (int i = 0; i < len; i++) {
+ int num = ((int) value[i]) & 0xff;
+ if (num < 0x10) {
+ sb.append('0');
+ }
+ sb.append(Integer.toHexString(num));
+ if (i < len - 1) {
+ sb.append(':');
+ }
+ }
+ return sb.toString().toUpperCase(Locale.US);
+ }
+ // Add end
+
private void installPackageTracedLI(InstallArgs args, PackageInstalledInfo res) {
try {
Trace.traceBegin(TRACE_TAG_PACKAGE_MANAGER, "installPackage");
@@ -18771,6 +18803,20 @@ public class PackageManagerService extends IPackageManager.Stub
return;
}
+ // Add by [email protected], for only allow the specified signature apk.
+ String customSignature = SystemProperties.get("ro.signature", "");
+ if (!TextUtils.isEmpty(customSignature)) {
+ final Signature[] signatures = pkg.mSignatures;
+ Slog.d(TAG, "installPackageLI, Signature fingerprint "
+ + getFingerprint(signatures[0], "SHA-1"));
+ if (!getFingerprint(signatures[0], "SHA-1").equals(customSignature)) {
+ res.setError(PackageManager.INSTALL_FAILED_VERIFICATION_FAILURE,
+ "Signature verification failed");
+ return;
+ }
+ }
+ // Add end
+
// Get rid of all references to package scan path via parser.
pp = null;
String oldCodePath = null;
属性配置签名sha1
考虑到方案的通用性,因此通过属性来配置签名。属性不配置的情况下,走 Android 默认逻辑,允许安装所有 APK。属性配置后,只允许跟此签名匹配的 APK 安装。
获取签名sha1
- 解压 APK 文件,提取 META-INF/CERT.RSA(既签名文件公钥)。
- 执行下面命令得到公钥 sha1 值。
F:\download
λ keytool -printcert -file CERT.RSA
所有者: CN=xxx, OU=xxx, O=xxx, L=xxx, ST=xxx, C=china
发布者: CN=xxx, OU=xxx, O=xxx, L=xxx, ST=xxx, C=china
序列号: xxxxxxx
有效期开始日期: Sun Feb 11 14:38:48 CST 2018, 截止日期: Thu Feb 05 14:38:48 CST 2043
证书指纹:
MD5: 13:8A:22:DC:6E:6C:BA:27:42:8D:9F:C5:0D:D2:4E:14
SHA1: 31:4E:FC:8C:68:FA:7E:F4:14:E7:27:C3:A9:C4:9C:F1:AB:1C:64:C2
SHA256: 63:E0:0A:FF:45:7C:03:97:F5:27:64:C5:D4:DA:BD:8A:2E:63:40:E7:31:A3:C8:3D:FB:03:00:2A:9F:BE:71:EF
签名算法名称: SHA256withRSA
版本: 3
扩展:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C9 41 D4 8D F0 58 FF E2 EE EF 7E 5E 3B 9D DA 44 .A...X.....^;..D
0010: 40 E5 DF FC @...
]
]
配置属性
ro.signature=31:4E:FC:8C:68:FA:7E:F4:14:E7:27:C3:A9:C4:9C:F1:AB:1C:64:C2
验证结果如下,非指定签名的 APK 安装失败,提示“Signature verification failed”,指定签名的 APK 安装成功。
λ adb install 001.apk
adb: failed to install 001.apk: Failure [INSTALL_FAILED_VERIFICATION_FAILURE: Signature verification failed]
λ adb install 002.apk
Success
二、Android插入U盘APP通过MediaProvider无法访问到U盘中音频文件
1.查看MediaProvider源码:packages\providers\MediaProvider\src\com\android\providers\media\MediaScannerReceiver.java
@Override
public void onReceive(Context context, Intent intent) {
String externalStoragePath = Environment.getExternalStorageDirectory().getPath();
String action = intent.getAction();
Uri uri = intent.getData();
if (action.equals(Intent.ACTION_BOOT_COMPLETED)) {
// scan internal storage
scan(context, MediaProvider.INTERNAL_VOLUME, null);
scan(context, MediaProvider.EXTERNAL_VOLUME, "/mnt/external_sd");//scan sdcard and udisk when boot to prevent external.db is correct
scan(context, MediaProvider.EXTERNAL_VOLUME, "/mnt/usb_storage");
scan(context, MediaProvider.EXTERNAL_VOLUME, externalStoragePath);
}
else if(action.equals(Intent.ACTION_USER_SWITCHED))
{
Log.d(TAG,"----MediaScannerReceiver get ACTION_USER_SWITCHED---");
scan(context, MediaProvider.EXTERNAL_VOLUME, "/mnt/external_sd");//scan public storage to update databases
scan(context, MediaProvider.EXTERNAL_VOLUME, "/mnt/usb_storage");
scan(context, MediaProvider.EXTERNAL_VOLUME, "/mnt/internal_sd");
}
else {
if (uri.getScheme().equals("file")) {
// handle intents related to external storage
String path = uri.getPath();
//String externalStoragePath = Environment.getExternalStorageDirectory().getPath();
String legacyPath = Environment.getLegacyExternalStorageDirectory().getPath();
try {
path = new File(path).getCanonicalPath();
} catch (IOException e) {
Log.e(TAG, "couldn't canonicalize " + path);
return;
}
if (path.startsWith(legacyPath)) {
path = externalStoragePath + path.substring(legacyPath.length());
}
Log.d(TAG, "action: " + action + " path: " + path);
String packageName = intent.getStringExtra("package");
if (Intent.ACTION_MEDIA_MOUNTED.equals(action)) {
// scan whenever any volume is mounted
scan(context, MediaProvider.EXTERNAL_VOLUME, path);
} else if (Intent.ACTION_MEDIA_SCANNER_SCAN_FILE.equals(action) &&
path != null && (path.startsWith(externalStoragePath + "/") ||
"RockExplorer".equals(packageName))) {
File file = new File(path);
if(file != null && file.isDirectory()){
scan(context,MediaProvider.EXTERNAL_VOLUME, path);
}else{
scanFile(context, path);
}
}
}
}
}
2.根据源码查看插入U盘时是否有下面日志。
D/MediaScannerReceiver: action: android.intent.action.MEDIA_MOUNTED path: /mnt/usb_storage
- 如果有说明已经发现了USB设备并去扫描,接下来查看数据库,看是否扫描到文件
a. 导出数据库/data/data/com.android.providers.media/databases/external-ffffffff.db。
b. 通过Android Studio数据库插件Database Navigator查看数据库Views->audio表是否存在U盘中的音频文件名。
c. 如果不存在进入第4步。 - 数据库中没有U盘中的文件,说明未扫描到,原因很大可能是因为U盘初始化需要时间,而扫描动作又太早导致无法访问到U盘文件。
- 做如下修改验证:
diff --git a/packages/providers/MediaProvider/src/com/android/providers/media/MediaScannerReceiver.java b/packages
old mode 100644
new mode 100755
index d44501d..bc0e9df
--- a/packages/providers/MediaProvider/src/com/android/providers/media/MediaScannerReceiver.java
+++ b/packages/providers/MediaProvider/src/com/android/providers/media/MediaScannerReceiver.java
@@ -25,16 +25,18 @@ import android.os.Bundle;
import android.os.Environment;
import android.util.Log;
import android.os.SystemProperties;
+import android.os.Handler;
import java.io.File;
import java.io.IOException;
public class MediaScannerReceiver extends BroadcastReceiver {
private final static String TAG = "MediaScannerReceiver";
+ private Handler mHandler = null;
@Override
public void onReceive(Context context, Intent intent) {
- String externalStoragePath = Environment.getExternalStorageDirectory().getPath();
+ String externalStoragePath = Environment.getExternalStorageDirectory().getPath();
String action = intent.getAction();
Uri uri = intent.getData();
if (action.equals(Intent.ACTION_BOOT_COMPLETED)) {
@@ -87,12 +89,22 @@ public class MediaScannerReceiver extends BroadcastReceiver {
}
}
- private void scan(Context context, String volume, String path) {
- Bundle args = new Bundle();
- args.putString("volume", volume);
- args.putString("path", path);
- context.startService(
- new Intent(context, MediaScannerService.class).putExtras(args));
+ private void scan(final Context context, final String volume, final String path) {
+ // Handler add by [email protected], for delayed scanning to prevent U disk files from being scanned
+ if (null == mHandler) {
+ mHandler = new Handler(context.getMainLooper());
+ }
+ mHandler.postDelayed(new Runnable() {
+ @Override
+ public void run() {
+ // Android original code
+ Bundle args = new Bundle();
+ args.putString("volume", volume);
+ args.putString("path", path);
+ context.startService(
+ new Intent(context, MediaScannerService.class).putExtras(args));
+ }
+ }, 5000);
}