Android dangerous permission detection through AAPT
1. Basic environment configuration
1. ADT environment configuration (no Java environment variables are needed here)
First of all, use Paomei Dafa to sacrifice the ancient version of ADT
Link: https://pan.baidu.com/s/1lWM0LmVYDYKxWk-LTrRlCw
Extraction code: pgzx
Then we can start to configure the environment variables for Android development
Add ANDROID_HOME=D:\path\android\adt-bundle-windows-x86_64-20131030\sdk to the system environment variables
Add to the system environment variable path:
%ANDROID_HOME%;%ANDROID_HOME%/tools;%ANDROID_HOME%/platform-tools
At this point we enter adb version in the CMD window
Android Debug Bridge version 1.0.31
It succeeded
Or you can download a separate aapt at https://androidaapt.com/.
2. Basic use of Android Asset Packaging Tool (aapt)
First, aapt it is in %ANDROID_HOME%/build-tools/android-4.4/. If you don’t have android-4.4, you can install any version of the SDK through the SDK Manager.
Aapt command prompt: Get it from https://androidaapt.com/command. You can enter the detailed command through the hyperlink.
- aapt list
- aapt dump badging
- aapt usage
- aapt dump strings
- aapt dump permissions
- aapt dump resources
- aapt dump configurations
- aapt dump xmltree
- aapt dump xmlstrings
Since this technical article only describes how to perform Android dangerous permission detection through AAPT, we can useaapt dump permissions WHAT file.{apk}
eg:aapt dump permissions lxsj.apk
package: com.jiayouya.travel
uses-permission: android.permission.INTERNET
uses-permission: android.permission.WRITE_EXTERNAL_STORAGE
uses-permission: android.permission.READ_EXTERNAL_STORAGE
uses-permission: android.permission.ACCESS_FINE_LOCATION
uses-permission: android.permission.ACCESS_COARSE_LOCATION
uses-permission: android.permission.READ_PHONE_STATE
uses-permission: android.permission.ACCESS_NETWORK_STATE
uses-permission: android.permission.ACCESS_WIFI_STATE
uses-permission: android.permission.WRITE_SETTINGS
uses-permission: android.permission.VIBRATE
uses-permission: android.permission.WAKE_LOCK
uses-permission: android.permission.RECEIVE_USER_PRESENT
uses-permission: android.permission.RECEIVE_BOOT_COMPLETED
uses-permission: android.permission.BROADCAST_STICKY
uses-permission: android.permission.KILL_BACKGROUND_PROCESSES
uses-permission: android.permission.READ_LOGS
uses-permission: android.permission.BLUETOOTH
uses-permission: android.permission.BATTERY_STATS
uses-permission: com.meizu.flyme.push.permission.RECEIVE
permission: com.jiayouya.travel.push.permission.MESSAGE
uses-permission: com.jiayouya.travelpush.permission.MESSAGE
uses-permission: com.meizu.c2dm.permission.RECEIVE
permission: com.jiayouya.travel.permission.C2D_MESSAGE
uses-permission: com.jiayouya.travel.permission.C2D_MESSAGE
permission: com.jiayouya.travel.permission.MIPUSH_RECEIVE
uses-permission: com.jiayouya.travel.permission.MIPUSH_RECEIVE
uses-permission: android.permission.REQUEST_INSTALL_PACKAGES
uses-permission: android.permission.CHANGE_CONFIGURATION
uses-permission: android.permission.MODIFY_AUDIO_SETTINGS
uses-permission: android.permission.CAMERA
uses-permission: android.permission.RECORD_AUDIO
permission: com.jiayouya.travel.andpermission.bridge
uses-permission: com.jiayouya.travel.andpermission.bridge
uses-permission: android.permission.GET_TASKS
uses-permission: android.permission.READ_SETTINGS
uses-permission: android.permission.RUN_INSTRUMENTATION
uses-permission: android.permission.FLASHLIGHT
We can see here that all the permission declarations in AndroidManifast.xml are returned, and I am offering an Android dangerous permission list here:
BLACK_LIST = (
'android.permission.READ_EXTERNAL_STORAGE',
'android.permission.WRITE_EXTERNAL_STORAGE',
'android.permission.READ_CALENDAR',
'android.permission.WRITE_CALENDAR',
'android.permission.CAMERA',
'android.permission.READ_CONTACTS',
'android.permission.WRITE_CONTACTS',
'android.permission.GET_ACCOUNTS',
'android.permission.ACCESS_FINE_LOCATION',
'android.permission.ACCESS_COARSE_LOCATION',
'android.permission.RECORD_AUDIO',
'android.permission.READ_PHONE_STATE',
'android.permission.CALL_PHONE',
'android.permission.READ_CALL_LOG',
'android.permission.WRITE_CALL_LOG',
'com.android.voicemail.permission.ADD_VOICEMAIL',
'android.permission.USE_SIP',
'android.permission.PROCESS_OUTGOING_CALLS',
'android.permission.BODY_SENSORS',
'android.permission.SEND_SMS',
'android.permission.RECEIVE_SMS',
'android.permission.READ_SMS',
'android.permission.RECEIVE_WAP_PUSH',
'android.permission.RECEIVE_MMS',
'android.permission.READ_CELL_BROADCASTS',
'android.permission.WRITE_SETTINGS')
We only need to match whether the permission dumped by aapt matches our BLACK_LIST. Here is the Python detection code:
import re
import subprocess
import os
class ApkInfo:
def __init__(self, apk_path):
self.apkPath = apk_path
self.aapt_path = self.get_aapt()
self.BLACK_LIST = (
'android.permission.READ_EXTERNAL_STORAGE',
'android.permission.WRITE_EXTERNAL_STORAGE',
'android.permission.READ_CALENDAR',
'android.permission.WRITE_CALENDAR',
'android.permission.CAMERA',
'android.permission.READ_CONTACTS',
'android.permission.WRITE_CONTACTS',
'android.permission.GET_ACCOUNTS',
'android.permission.ACCESS_FINE_LOCATION',
'android.permission.ACCESS_COARSE_LOCATION',
'android.permission.RECORD_AUDIO',
'android.permission.READ_PHONE_STATE',
'android.permission.CALL_PHONE',
'android.permission.READ_CALL_LOG',
'android.permission.WRITE_CALL_LOG',
'com.android.voicemail.permission.ADD_VOICEMAIL',
'android.permission.USE_SIP',
'android.permission.PROCESS_OUTGOING_CALLS',
'android.permission.BODY_SENSORS',
'android.permission.SEND_SMS',
'android.permission.RECEIVE_SMS',
'android.permission.READ_SMS',
'android.permission.RECEIVE_WAP_PUSH',
'android.permission.RECEIVE_MMS',
'android.permission.READ_CELL_BROADCASTS',
'android.permission.WRITE_SETTINGS'
)
@staticmethod
def get_aapt():
if "ANDROID_HOME" in os.environ:
root_dir = os.path.join(os.environ["ANDROID_HOME"], "build-tools")
for path, subdir, files in os.walk(root_dir):
if "aapt.exe" in files:
return os.path.join(path, "aapt.exe")
else:
return "ANDROID_HOME not exist"
def get_apk_permission(self):
p = subprocess.Popen(self.aapt_path + " dump permissions %s" % self.apkPath, stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
stdin=subprocess.PIPE, shell=True)
(output, err) = p.communicate()
print(output.decode())
match = re.compile("permission: (\S+)").findall(output.decode())
Black_permission = []
if match is not None:
for permission in match:
if permission in self.BLACK_LIST:
Black_permission.append(permission)
print(Black_permission)
if __name__ == '__main__':
apkPath = input("APK文件路径:")
apk_info = ApkInfo(apkPath)
apk_info.get_apk_permission()
At the same time, the powerful AAPT can not only do such a little thing, but also get a lot of APK information. Specifically, you can try the AAPT command yourself.
3. Summary
I believe that many students who are just getting started like me do not know what a decompilation tool does most of the time. As soon as we play, we offer advanced and perfect functions such as JADX and JEB, but we are not too clear about how it works. So everyone can learn more about the working principles of these decompiler tools. It's good for everyone! (The interviewer may ask.)