背景:
策略:
增加隐私权限说明页。用户未同意隐私政策前,不进行包括三方SDK初始化在内的任何操作;若用户选择不同意,则二次友好挽留,直到用户选择同意。
移除APP、SDK相关的敏感API调用。SDK中的API的移除是个难点,需要先反编译APP,查看敏感API都有哪些SDK调用,然后通过插件的形式将敏感API的调用全部替换成自实现方法。其实,当前操作完全是兜底机制,没有必须实现的必要性。我们之所以要全部替换,主要是为了防止第1步有漏网之鱼。插件的具体实现,将会在另一篇文章详细介绍。
检测启动APP未同意隐私权限时,是否有敏感API的调用,以验证1、2两步是否成功满足合规要求。
检测:
工具:
https://github.com/espduino/Hegui2.0
https://github.com/android-hacker/VirtualXposed
VirtualXposed原理:
Xposed框架模块原理:
Xposed框架模块隐私API检测代码实现:
package com.example.xcl;import android.content.ContentResolver;import android.location.LocationManager;import android.util.Log;import de.robv.android.xposed.IXposedHookLoadPackage;import de.robv.android.xposed.XC_MethodHook;import de.robv.android.xposed.XposedBridge;import de.robv.android.xposed.XposedHelpers;import de.robv.android.xposed.callbacks.XC_LoadPackage;public class HookApi implements IXposedHookLoadPackage {private static final String TAG = "Xposed";public void handleLoadPackage(XC_LoadPackage.LoadPackageParam lpparam) {if (lpparam == null) {return;}Log.e(TAG, "Load app packageName:" + lpparam.packageName);// 判断hook的包名if (!"指定包名".equals(lpparam.packageName)) {return;} else {Log.e(TAG, "API检测");}// 固定格式XposedHelpers.findAndHookMethod(android.telephony.TelephonyManager.class.getName(), // 需要hook的方法所在类的完整类名lpparam.classLoader, // 类加载器,固定这么写就行了"getDeviceId", // 需要hook的方法名new XC_MethodHook() {@Overrideprotected void beforeHookedMethod(MethodHookParam param) {XposedBridge.log("调用getDeviceId()获取了imei");}});XposedHelpers.findAndHookMethod(android.telephony.TelephonyManager.class.getName(),lpparam.classLoader,"getDeviceId",int.class,new XC_MethodHook() {@Overrideprotected void beforeHookedMethod(MethodHookParam param) {XposedBridge.log("调用getDeviceId(int)获取了imei");}});XposedHelpers.findAndHookMethod(android.telephony.TelephonyManager.class.getName(),lpparam.classLoader,"getSubscriberId",int.class,new XC_MethodHook() {@Overrideprotected void beforeHookedMethod(MethodHookParam param) {XposedBridge.log("调用getSubscriberId获取了imsi");}});XposedHelpers.findAndHookMethod(android.net.wifi.WifiInfo.class.getName(),lpparam.classLoader,"getMacAddress",new XC_MethodHook() {@Overrideprotected void beforeHookedMethod(MethodHookParam param) {XposedBridge.log("调用getMacAddress()获取了mac地址");}});XposedHelpers.findAndHookMethod(java.net.NetworkInterface.class.getName(),lpparam.classLoader,"getHardwareAddress",new XC_MethodHook() {@Overrideprotected void beforeHookedMethod(MethodHookParam param) {XposedBridge.log("调用getHardwareAddress()获取了mac地址");}});XposedHelpers.findAndHookMethod(android.provider.Settings.Secure.class.getName(),lpparam.classLoader,"getString",ContentResolver.class,String.class,new XC_MethodHook() {@Overrideprotected void beforeHookedMethod(MethodHookParam param) {XposedBridge.log("调用Settings.Secure.getstring获取了" + param.args[1]);}});XposedHelpers.findAndHookMethod(LocationManager.class.getName(),lpparam.classLoader,"getLastKnownLocation",String.class,new XC_MethodHook() {@Overrideprotected void beforeHookedMethod(MethodHookParam param) {XposedBridge.log("调用getLastKnownLocation获取了GPS地址");}});}}
实践效果:
拖地先生,从事互联网技术工作,在这里每周两篇文章,聊聊日常的实践和心得。往期推荐:
如果对你有帮助,让大家也看看呗~
文章转载自拖地先生,如果涉嫌侵权,请发送邮件至:contact@modb.pro进行举报,并提供相关证据,一经查实,墨天轮将立刻删除相关内容。
