background
To prevent android apps from being hacked, implanted with hacker viruses, or modified for commercial use, hardening is essential. Next, this article will mainly talk about the process of reinforcement and some matters needing attention.
preparation
First of all, understand what is reinforcement, reinforcement principle is what kind of, this is conducive to the back analysis of the problem.
In simple terms, hardening means encrypting the source Apk and then covering it with a shell. The source Apk is encrypted with encryption algorithm, and then the shell Apk is merged to obtain a new Dex file. Finally, the new Apk is obtained by replacing the Dex file in the shell program. The new Apk is no longer an Apk program in the complete sense, and its main job is to decrypt the source Apk, and then load the Apk to make it run normally.
At present, major Internet companies have their own applications for reinforcement protection, such as 360 and Tencent have opened their services to the outside world. In addition, there are some special reinforcement products on the market, such as Aiencryption and bong-bong reinforcement. Take advantage of these wheels and focus on business development to increase productivity.
Selection of reinforcement tools: 360 reinforcement is used this time
First, from the investigation and reinforcement results, it can be seen that 360 reinforcement has advantages in compatibility, startup speed and volume change, and the overall reinforcement effect is relatively good.
Second, 360 is a safety company and has a great influence in the industry. Its reinforcement technology is reliable.
Third, see a lot of strengthening tools website, reinforcement is the process of upload signature APK package to website page or use the corresponding desktop application to upload, this process requires human to upload, and 360 provides a toolkit reinforcement is obtained, we can write a script to invoke the reinforcement program for automation. Now many companies use Jenkins online automatic packaging, reinforcement is also part of the packaging process, and it is better to be automated, so that the whole packaging process is “one-stop”, without manual intervention, equivalent to the black box, programmers do not care about the packaging process, but also reduce labor costs and error probability.
Desired goals
Automatic hardening and multi-channel packaging using Gradle scripts
implementation
The whole process is divided into three steps: reinforcement – re-signature – multi – channel packaging
strengthening
Hardening process: browse 360 hardening official website, the whole hardening process is actually very simple, mainly consists of the following three steps:
1) Enter the account and password of 360 hardening platform
2) Upload the signature file to the hardening platform
3) Upload the APK file to be hardened
The key command lines are as follows:
commandLine {command execution symbol}."-c" ,"Java-jar {jar package location} -login {360 login account} {360 login password}"
commandLine {command execution symbol}."-c" ,Importsign {location of signature file} {password stored in signature file} {alias alias} {alias password}"
commandLine {command execution symbol}."-c" ,"Java-jar {hardened JAR package location} -jiagu {hardened APK file path} {hardened APK output path} -autosign"
Copy the code
Description:
1) Command execution symbols vary with the operating system (Linux: sh; Mac: bash; Windows: Powershell);
2) Uploading the signature file information in the second line is unnecessary. After hardening, the hardening platform can automatically re-sign the signature file, and the information required for automatic signature is the previously uploaded signature information. In order to ensure the confidentiality and security of the signature file, not the third party to reinforce the public platform, so it is impossible to carry out the second line of code can, because when reinforcement will erase the original signature, and the third party can’t get to our signature information at this time, so need our local signature again after reinforcement, the following will introduce to reinforce the package weighs the signature;
3) When selecting local hardening, there is no need to add parameter -autosign in the third line of code, because the hardening platform cannot obtain signature information for hardening;
4) For more information about the hardening command line, please refer to the official website of 360. In the official website, there is also the function of importing channel information after reinforcement, which is not used in multi-channel packaging this time. First, Meituan Walle used multi-channel packaging previously in the project. Secondly, I don’t know how to get the channel information after 360 reinforcement and packaging, which will be widely used in the project, such as data burying point and channel statistics.
Based on the above description and the specific situation of the project, clean up the code, using Linux as an example:
/** * 360@paramApk hardened original APK File *@paramOutputPath Output directory */
def reinforceApk(File apk,outputPath) {
println "--- 360 reinforceApk start! -"
println "reinforce apk:" + apk
if(apk == null| |! apk.exists()) {throw new FileNotFoundException('apk is not exists and cannot reinforce')
println "---360 reinforceApk throw exception and forced stop! -"
}
exec {
commandLine "sh"."-c"."java -jar ${REINFORCE_JAR} -login ${REINFORCE_NAME} ${REINFORCE_PASSWORD}"
commandLine "sh"."-c"."java -jar ${REINFORCE_JAR} -showsign"
commandLine "sh"."-c"."java -jar ${REINFORCE_JAR} -jiagu ${apk} ${outputPath}"
}
println "--- 360 reinforce end! -"
}
Copy the code
Heavy signature
The reinforcement work is almost done, all that remains is to re-sign the reinforcement pack
The method of re-signing is to call build-tools in the AndroidSDK and use the alignment tool and signature tool in the toolkit to complete the signature. The specific steps are as follows:
1) Alignment, archive alignment of Apk files is optimized to ensure that all uncompressed data is aligned in the specified alignment from the beginning of the file
2) Signature, select Signature V2
commandLine {command execution symbol}."-c"."{zipalign tool file path} -v -p 4 {hardened APK file path} {aligned output APK file path}"
commandLine {command execution symbol}."-c"."{apksigner tool file path} sign --ks {signature file location} --ks-key-alias {alias alias} --ks-pass pass:{signature file stored password} --key-pass pass:{alias password} --out {output apK file after signature} {output apK file path after alignment}"
Copy the code
Multi-channel packaging
Finally, use walle Meituan’s multi-channel packaging tool
Normally, walle multi-channel packaging is used. You only need to configure the plug-in under app/build.gradle and specify the output path of channel package and channel configuration file. Finally, enter./ Gradlew assembleReleaseChannels in Terminal of Android Studio. After the task is executed, multiple corresponding channel packages will be generated in the specified output path. For specific procedures and details, please refer to the official introduction.
This multi-channel packaging method is fully automated construction, which is difficult to interfere with the construction process and does not meet our needs:
1) in the app/build. Gradle configure plugins, did not find the specified source in the official introduction APK input path way, estimated packaging plug-in is used by default app/build/outputs/APK/release under the APK, This prevents multi-channel packaging of hardened APK packages under different file paths.
2) The packaging task is set up after assembleRelease, which is wrapped inside the plug-in and difficult to modify externally. The packaging task depends on the hardening task, which is performed after the hardening task.
In addition to the above multi-channel packaging method, Walle also provides another multi-channel packaging method. Run the walle-cli-all.jar provided by Walle on the command line to perform the packaging operation, and only one packaging command is required to complete the packaging.
commandLine "sh"."-c"."Java-jar {walle-cli-all.jar file path} batch -f {channel file path} {channel file path} {channel package output path}"
Copy the code
Walle-cli-all. jar File download address: walle-cli-all.jar
The whole process
At this point, 360 reinforcement + Walle multi-channel packaging of the basic work completed! That leaves building the overall process and optimizing the code.
First, the hardening and packaging operations are encapsulated as automated operations, and the hardening tasks are built using Gradle scripts. To decouple the code, we do not implement the hardening task in app/build.gradle. Instead, we create a new Gradle file to implement the hardening and multi-channel packaging process. ‘×××. Gradle ‘refers to this gradle file. If you need to modify some hardened code logic, you only need to modify it in this gradle file.
Introduce toolkits. According to their own system environment, in the reinforcement assistant web page to select the corresponding reinforcement assistant tool, download the jiAGu folder inside the copy to the root directory of their own project; Download the JAR package to your own project from the Walle-CLI-jar download link.
Determine the timing of reinforcement tasks. The hardening task should be timed after the release package is generated, so the hardening task should rely on the assembleRelease task and be set to be executed after this task.
So here’s our basic flow
1) find the release package, generally in the app/build/outputs/apk/release/directory
2) Run the hardening command, set the release package path to the command, and specify the output path of the hardening APK file
3) Locate the hardened APK file, align and re-sign the hardened APK file. (360 hardened APK files will add “_jiagu” after the original release file name)
4) Find the re-signed APK file and execute the multi-channel packaging command. (Add “_sign” to the end of the original file name)
/** * 360 reinforcement + Meituan Walle channel package */
task assembleReinforceRelease() {
group '360reinforce'
dependsOn("assembleRelease")
doLast {
cleanFilesPath(CHANNEL_APKS_PATH) // Empty the channel package generated last time
def releaseApkFile = findApkFile(SOURCE_APK_PATH,"release") // Walk through the file looking for the release package
if(releaseApkFile ! =null) {
reinforceApk(releaseApkFile, DEFAULT_APK_PATH) // Perform hardening
def reinforceApk = findApkFile(DEFAULT_APK_PATH, "_jiagu") // Find the hardened APK package
if(reinforceApk ! =null) {
signApkV2(reinforceApk) // Use V2 to re-sign
def signatureApk = findApkFile(DEFAULT_APK_PATH, "sign")
if(signatureApk ! =null) {
buildChannelApks(signatureApk,CHANNEL_APKS_PATH) // Implement multi-channel packaging
renameChannelApkFiles(CHANNEL_APKS_PATH) // Rename channel packages
}
}
}
}
}
Copy the code
After the whole process is determined, it is almost at the end.
Code optimization:
1) Encapsulate each step in the process into a method to make the code more concise and easy to understand;
2) The task involves sensitive information such as 360 platform account password. You can manage this information in the file where the signature information resides (eg: Keystore.properties) and then load this information into the gradle file.
3) File paths of various input and output are defined as constants for easy modification and management;
Hardening methods, renaming and channel packaging methods are similar:
/** * 360@paramApk hardened original APK File *@paramOutputPath Output directory */
def reinforceApk(File apk,outputPath) {
println "--- 360 reinforceApk start! -"
println "reinforce apk:" + apk
if(apk == null| |! apk.exists()) {throw new FileNotFoundException('apk is not exists and cannot reinforce')
println "---360 reinforceApk throw exception and forced stop! -"
}
exec {
commandLine "sh"."-c"."java -jar ${REINFORCE_JAR} -login ${REINFORCE_NAME} ${REINFORCE_PASSWORD}"
commandLine "sh"."-c"."java -jar ${REINFORCE_JAR} -showsign"
commandLine "sh"."-c"."java -jar ${REINFORCE_JAR} -jiagu ${apk} ${outputPath}"
}
println "--- 360 reinforce end! -"
}
Copy the code
All constants, key names and paths involved in the task should be modified according to their actual conditions:
/* Load keystore.properties information into the gradle file */
def keystorePropertiesFile = rootProject.file("keystore.properties")
def keystoreProperties = new Properties()
keystoreProperties.load(new FileInputStream(keystorePropertiesFile))
ext {
/ * * / reinforcement
REINFORCE_JAR = "${project.rootDir}/jiagu/jiagu.jar"
REINFORCE_NAME = keystoreProperties['360_NAME'] //360 Harden the account
REINFORCE_PASSWORD = keystoreProperties['360_PASSWORD'] //360 Hardening password
KEY_PATH = keystoreProperties['storeFile'] // Key path
KEY_PASSWORD = keystoreProperties['storePassword'] // Key password
ALIAS = keystoreProperties['keyAlias'] // Key alias
ALIAS_PASSWORD = keystoreProperties['keyPassword'] // Alias password
SOURCE_APK_PATH = "${project.buildDir}/bakApk" // Source APk file path
DEFAULT_APK_PATH = "${project.buildDir}/outputs/apk/release" // The default release file path
/* Multichannel package */
WALLE_JAR = "${project.rootDir}/walle-cli-all.jar"
WALLE_CHANNELS_CONFIG = ".. /app/channel" // Channel configuration file
CHANNEL_APKS_PATH = "${project.buildDir}/outputs/channels" // Channel Apk output path
}
Copy the code
validation
1) Check whether the signature of the release package before hardening is consistent with that of apK after hardening. If they are the same, the new APK can overwrite the installation
2) Decompile the hardening package using a decompiler to see if you can see the Activity classes
3) check if I can get to channel package, access to code number is through WalleChannelReader getChannel (application); This method
.
Q&A
1) It is rumored online that 360 cannot get the channel number of Walle packaging after reinforcement?
Yes, the signature information of the signed release package will be erased in 360 reinforcement process. If the channel package is made with Walle before reinforcement, the channel number will be lost. Therefore, we adopt the method of reinforcement first and then multi-channel packaging.
Welcome to pay attention to the public number – long see first
(Newly opened public account, please support!)
If you think it is helpful, please click “like”, thank you! In the meantime, you are welcome to comment and discuss your questions with each other.