首页 > 代码库 > Android Accessibility(辅助功能) 安全相关问题
Android Accessibility(辅助功能) 安全相关问题
对于那些由于视力、听力或其它身体原因导致不能方便使用Android智能手机的用户,Android提供了Accessibility功能和服务帮助这些用户更加简单地操作设备,包括文字转语音、触觉反馈、手势操作、轨迹球和手柄操作。开发者可以搭建自己的Accessibility服务,这可以加强可用性,例如声音提示,物理反馈,和其他可选的操作模式。
随着Android版本的不断升级,Android Accessibility功能也越来越强大,Android 4.0版本以前,系统辅助服务功能比较单一,仅仅能过单向获取窗口元素信息,比如获取输入框用户输入内容。到Android 4.1版本以后,系统辅助服务增加了与窗口元素的双向交互,此时可以通过辅助功能服务操作窗口元素,比如点击按钮等。
由于系统辅助服务能够实时获取您当前操作应用的窗口元素信息,这有可能给你带来隐私信息的泄露风险,比如获取非密码输入框的输入内容等。同时通过辅助功能也可以模拟用户自动化点击应用内元素,也会带来一定的安全风险。
本文实现了一种通过系统辅助服务完成应用的自动安装、卸载、强行停止的功能。
1、AndroidManifest.xml文件配置自己实现的MyAccessibilityService服务。
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.jack.accessibility"
android:versionCode="1"
android:versionName="1.0" >
<uses-sdk
android:minSdkVersion="8"
android:targetSdkVersion="18" />
<uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW" />
<uses-permission android:name="android.permission.BIND_ACCESSIBILITY_SERVICE" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/>
<application
android:allowBackup="true"
android:icon="@drawable/ic_launcher"
android:label="@string/app_name"
android:theme="@style/AppTheme" >
<activity
android:name="com.jack.accessibility.MainActivity"
android:label="@string/app_name" >
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
<service android:label="@string/acc_service_name" android:name=".MyAccessibilityService" android:permission="android.permission.BIND_ACCESSIBILITY_SERVICE">
<intent-filter>
<action android:name="android.accessibilityservice.AccessibilityService" />
</intent-filter>
<meta-data android:name="android.accessibilityservice" android:resource="@xml/phone_accessibility" />
</service>
</application>
</manifest>2、在res/xml/phone_accessibility.xml配置相应的参数信息。
<?xml version="1.0" encoding="utf-8"?>
<accessibility-service android:description="@string/accessibility_service_description"
android:accessibilityEventTypes="typeAllMask"
android:accessibilityFeedbackType="feedbackGeneric"
android:notificationTimeout="100"
android:accessibilityFlags=""
android:canRetrieveWindowContent="true"
xmlns:android="http://schemas.android.com/apk/res/android" />3、MainActivity实现安装、卸载、强行停止动作的发起。
package com.jack.accessibility;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import android.net.Uri;
import android.os.Bundle;
import android.os.Environment;
import android.provider.Settings;
import android.view.View;
import android.app.Activity;
import android.content.Intent;
public class MainActivity extends Activity {
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
this.findViewById(R.id.activeButton).setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View arg0) {
// TODO Auto-generated method stub
Intent killIntent = new Intent(Settings.ACTION_ACCESSIBILITY_SETTINGS);
startActivity(killIntent);
}
});
this.findViewById(R.id.installButton).setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View arg0) {
// TODO Auto-generated method stub
MyAccessibilityService.INVOKE_TYPE = MyAccessibilityService.TYPE_INSTALL_APP;
String fileName = Environment.getExternalStorageDirectory() + "/test.apk";
File installFile = new File(fileName);
if(installFile.exists()){
installFile.delete();
}
try {
installFile.createNewFile();
FileOutputStream out = new FileOutputStream(installFile);
byte[] buffer = new byte[512];
InputStream in = MainActivity.this.getAssets().open("test.apk");
int count;
while((count= in.read(buffer))!=-1){
out.write(buffer, 0, count);
}
in.close();
out.close();
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
Intent intent = new Intent(Intent.ACTION_VIEW);
intent.setDataAndType(Uri.fromFile(new File(fileName)), "application/vnd.android.package-archive");
startActivity(intent);
}
});
this.findViewById(R.id.uninstallButton).setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View arg0) {
// TODO Auto-generated method stub
MyAccessibilityService.INVOKE_TYPE = MyAccessibilityService.TYPE_UNINSTALL_APP;
Uri packageURI = Uri.parse("package:com.example.test");
Intent uninstallIntent = new Intent(Intent.ACTION_DELETE, packageURI);
startActivity(uninstallIntent);
}
});
this.findViewById(R.id.killAppButton).setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View arg0) {
// TODO Auto-generated method stub
MyAccessibilityService.INVOKE_TYPE = MyAccessibilityService.TYPE_KILL_APP;
Intent killIntent = new Intent(Settings.ACTION_APPLICATION_DETAILS_SETTINGS);
Uri packageURI = Uri.parse("package:com.example.test");
killIntent.setData(packageURI);
startActivity(killIntent);
}
});
}
}
4、MyAccessibilityService中通过自动化点击实现应用安装、卸载、强行停止功能。
package com.jack.accessibility;
import java.util.List;
import android.accessibilityservice.AccessibilityService;
import android.annotation.SuppressLint;
import android.util.Log;
import android.view.KeyEvent;
import android.view.accessibility.AccessibilityEvent;
import android.view.accessibility.AccessibilityNodeInfo;
@SuppressLint("NewApi")
public class MyAccessibilityService extends AccessibilityService {
public static int INVOKE_TYPE = 0;
public static final int TYPE_KILL_APP = 1;
public static final int TYPE_INSTALL_APP = 2;
public static final int TYPE_UNINSTALL_APP = 3;
public static void reset(){
INVOKE_TYPE = 0;
}
@Override
public void onAccessibilityEvent(AccessibilityEvent event) {
// TODO Auto-generated method stub
this.processAccessibilityEnvent(event);
}
private void processAccessibilityEnvent(AccessibilityEvent event) {
Log.d("test", event.eventTypeToString(event.getEventType()));
if (event.getSource() == null) {
Log.d("test", "the source = null");
} else {
Log.d("test", "event = " + event.toString());
switch (INVOKE_TYPE) {
case TYPE_KILL_APP:
processKillApplication(event);
break;
case TYPE_INSTALL_APP:
processinstallApplication(event);
break;
case TYPE_UNINSTALL_APP:
processUninstallApplication(event);
break;
default:
break;
}
}
}
@Override
protected boolean onKeyEvent(KeyEvent event) {
// TODO Auto-generated method stub
return true;
}
@Override
public void onInterrupt() {
// TODO Auto-generated method stub
}
private void processUninstallApplication(AccessibilityEvent event) {
if (event.getSource() != null) {
if (event.getPackageName().equals("com.android.packageinstaller")) {
List<AccessibilityNodeInfo> ok_nodes = event.getSource().findAccessibilityNodeInfosByText("确定");
if (ok_nodes!=null && !ok_nodes.isEmpty()) {
AccessibilityNodeInfo node;
for(int i=0; i<ok_nodes.size(); i++){
node = ok_nodes.get(i);
if (node.getClassName().equals("android.widget.Button") && node.isEnabled()) {
node.performAction(AccessibilityNodeInfo.ACTION_CLICK);
}
}
}
}
}
}
private void processinstallApplication(AccessibilityEvent event) {
if (event.getSource() != null) {
if (event.getPackageName().equals("com.android.packageinstaller")) {
List<AccessibilityNodeInfo> unintall_nodes = event.getSource().findAccessibilityNodeInfosByText("安装");
if (unintall_nodes!=null && !unintall_nodes.isEmpty()) {
AccessibilityNodeInfo node;
for(int i=0; i<unintall_nodes.size(); i++){
node = unintall_nodes.get(i);
if (node.getClassName().equals("android.widget.Button") && node.isEnabled()) {
node.performAction(AccessibilityNodeInfo.ACTION_CLICK);
}
}
}
List<AccessibilityNodeInfo> next_nodes = event.getSource().findAccessibilityNodeInfosByText("下一步");
if (next_nodes!=null && !next_nodes.isEmpty()) {
AccessibilityNodeInfo node;
for(int i=0; i<next_nodes.size(); i++){
node = next_nodes.get(i);
if (node.getClassName().equals("android.widget.Button") && node.isEnabled()) {
node.performAction(AccessibilityNodeInfo.ACTION_CLICK);
}
}
}
List<AccessibilityNodeInfo> ok_nodes = event.getSource().findAccessibilityNodeInfosByText("打开");
if (ok_nodes!=null && !ok_nodes.isEmpty()) {
AccessibilityNodeInfo node;
for(int i=0; i<ok_nodes.size(); i++){
node = ok_nodes.get(i);
if (node.getClassName().equals("android.widget.Button") && node.isEnabled()) {
node.performAction(AccessibilityNodeInfo.ACTION_CLICK);
}
}
}
}
}
}
private void processKillApplication(AccessibilityEvent event) {
if (event.getSource() != null) {
if (event.getPackageName().equals("com.android.settings")) {
List<AccessibilityNodeInfo> stop_nodes = event.getSource().findAccessibilityNodeInfosByText("强行停止");
if (stop_nodes!=null && !stop_nodes.isEmpty()) {
AccessibilityNodeInfo node;
for(int i=0; i<stop_nodes.size(); i++){
node = stop_nodes.get(i);
if (node.getClassName().equals("android.widget.Button")) {
if(node.isEnabled()){
node.performAction(AccessibilityNodeInfo.ACTION_CLICK);
}
}
}
}
List<AccessibilityNodeInfo> ok_nodes = event.getSource().findAccessibilityNodeInfosByText("确定");
if (ok_nodes!=null && !ok_nodes.isEmpty()) {
AccessibilityNodeInfo node;
for(int i=0; i<ok_nodes.size(); i++){
node = ok_nodes.get(i);
if (node.getClassName().equals("android.widget.Button")) {
node.performAction(AccessibilityNodeInfo.ACTION_CLICK);
Log.d("action", "click ok");
}
}
}
}
}
}
}
Android Accessibility(辅助功能) 安全相关问题
声明:以上内容来自用户投稿及互联网公开渠道收集整理发布,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任,若内容有误或涉及侵权可进行投诉: 投诉/举报 工作人员会在5个工作日内联系你,一经查实,本站将立刻删除涉嫌侵权内容。