This article has been first “buckle wave” public number
Privacy compliance rectification is not only a one-time investigation, but also a complete system to regulate the code behind, so as to avoid the occurrence of privacy code invocation and trigger compliance problems.
The overall process of the improvement of a system is as follows:
- Found the problem
- Change the question
- Specification problem
1. How to check the privacy code call before “agree user privacy”?
Use as to manually Find in the Fies? So how do you know when this code is called? Therefore, statically checking privacy code calls is not appropriate. Is there a way to know at runtime which classes are calling the privacy API? Yes, our basic team wrote a survey of “Android APP runtime Behavior Monitoring Technology Solution”, using Frida to hook Java code, but Frida is really too troublesome to use, need to build various environments, The building process can refer to “APP Reverse artifact Frida [Android Primer]”, can not point directly hook? Yes, Epic:
Epic is a Java Method-granular runtime AOP Hook framework at the virtual machine level. In simple terms, Epic is Dexposed on ART (support Android 5.0 ~ 11). It can intercept almost any Java method call within the process, and can be used to implement AOP programming, runtime staking, performance analysis, security auditing, and so on.
It is also very simple to use: set up ahead of time which Java side needs to hook, for example, I want to hook the getDeviceId method of TelephonyManager:
Class clazz=null;
try {
clazz = Class.forName("android.telephony.TelephonyManager");
} catch (ClassNotFoundException e) {
e.printStackTrace();
}
DexposedBridge.findAndHookMethod(clazz, "getDeviceId".new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
super.beforeHookedMethod(param);
Log.i(TAG, "beforeHookedMethod: this:" + param.thisObject, new RuntimeException("stack"));
}
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
Log.i("Case3"."afterHookedMethod getDeviceId"); }});Copy the code
In the code. If have a place to call TelephonyManager getDeviceId, will be epic beforeHookedMethod intercepted, we only need the beforeHookedMethod print out the stack to be able to see who is calling, Printing the stack is also very simple, we can ask it to throw an exception to see the experiment result:
However, there are so many private API calls, if there are new APIS that become private in the future, it is not possible to write every one of them. No problem, just configure the privacy API.
Place a privacy.json configuration file in assets of the main project in the following format:
In initialization, we read the configuration into a JSON file to parse out the className and method to hook, as shown in the following example:
2. How to check the code of private call globally?
1. Decompress APK, extract all dex, disassemble dex into SMAIL files, and scan methods in SMAIL files according to rules to see if privacy-related apis are called. Representative works include Static Check of Android Privacy Compliance by netease Cloud.
Customizable Gradle Transfrom processes class files and JAR files. Then use the ASM ClassVisitor to fetch all methods of the current class and check if the method has a privacy API. VisitMethod Check out Mamba
3. Do a set of privacy compliance checks based on Lint. The author of “Lint-Privacy Detector” does a set of Lint checks based on ClassScanner
3. How to change the code of privacy call?
Manually change? The thread_hook_plugin plugin can be used to create your own class by using the ASM solution.
There are many alternative methods, such as booster booster-transform-thread of Booster
4. How to regulate privacy calls
This is where we need to develop our Lint checking tool to make the privacy API more powerful. However, I see some problems with many existing Lint tools. Each specification requires writing the UastScanner class. Lint can be configured by reading configuration files. There is an AndroidLint tool based on configuration checking. We can simply configure the privacy API into the custom_lint_config.json file
Reference Documents:
- Step by step governance privacy permissions | android black magic
- I’ll continue Dexposed for a second — on Method AOP implementation at runtime on ART
- Lint- Privacy detection tool
- Explore in depth the compilation and piling technology
- ASM series