注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

天朝布衣田中码农参上

苦逼码农的点点滴滴,请多多指教!

 
 
 

日志

 
 
 
 

Android应用中权限有关隐私和财务安全问题的初步解决方案  

2017-10-16 08:59:02|  分类: Android |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
随着安卓在占有率方面的节节高攀,应用的数量也是一再增长,现在对比iOS平台可谓是有过之而无不及。而应用数量的提升,再加上Google滥发安卓权限【安卓权限为数众多且涉及隐私】,软件作者的无节操,整个国内市场的燥动,导致目前安卓应用就像是一个潜伏者,悄悄的将我们的个人隐私包括手机通讯录、身份信息等盗走,甚至私底下打声讯电话,发订阅短信也为数不少,乱象频生,意外常有,导致我们在财务和隐私方面都受到损失。
这里面就涉及到一个权限问题,应用安装时会告诉您需要什么权限,不接受就不能用。如果您非得要用,那么就只能接受这应用的霸王条款。正常使用环境下,安装之后没啥手段能够封住这个软件的某种权限请求。用户唯一能够阻止的机会是安装之前[如前所述],但这并没有什么意义——该用的软件还得用,用之前软件会告诉你一声,喂,我要强奸你啦,然后装上以后就没有反抗机会了。
也许有人会说,安卓机可以用安全管理应用啊,这样不就可以管好应用权限了。没错,这说得很有道理,我竟然无言以对。但请您要明白,首先,安全管理应用一般安装的前提是需要root,其实,您确定对安全管理应用完全信任吗[如国内某3X0手机卫士,腾XQQ手机管家]。请这些安全管理应用来为您的隐私和财务来把关,冒然把系统最高权限交出去,后果就是天知道是养了条看门狗还是入室狼。
有人看到这里,可能就会说了,那就专用一个不上SIM卡的安卓手机来玩应用,而装上SIM卡的安卓手机则不安装任何其它软件。哈,说到这里我就笑了,装上SIM卡的手机上就没有预装应用吗?这些预装应用可都是带有私货的。
所以,问题走到这儿,归根结底,还是要采取办法来控制应用的权限问题。
安卓权限系统大致可以分为四层:针对安卓软件的“Android.Permission”权限系统、Linux的root权限、负责系统引导的bootloader权限以及用以锁定移动网络的基带权限。其中,安卓在root、bootloader和基带方面的安全性问题并不大——安卓机root和随意解锁bootloader和基带,都不是件容易的事,而问题就易出现在“Android.Permission”权限系统上。
这权限是写死在应用里面的,一般情况下是没有办法修改的,但其实还是可以通过非正常途径修改【通过一些APK修改工具】。先下载APK修改工具【如APKIDE改之理,地址:http://yun.baidu.com/s/1mgh2Nfa>】,解压后执行,打开您要安装的APP反编译【这里以QQ轻聊版为例】,找到AndroidManifest.xml打开,界面如下:
Android应用中权限有关隐私和财务安全问题的初步解决方案 - 1976xyg - 红尘若梦
可以看到,该APP申请了不少权限,其中有如下几行:

<uses-permission android:name="android.permission.SEND_SMS"/>
<uses-permission android:name="android.permission.READ_SMS"/>
<uses-permission android:name="android.permission.WRITE_SMS"/>
<uses-permission android:name="android.permission.READ_CONTACTS"/>

该权限其实说明QQ轻聊版可以执行这些操作,读取您的短信【READ_SMS】和通讯录【READ_CONTACTS】,还可以写短信【WRITE_SMS】,并后台发送出去【SEND_SMS】。现在您需要做的就是把这些行删除,再重新编译一个应用,再来安装到安卓手机上就好。如在编译和反编译过程中出错,请参考以前的文章《ApkIDE反编译和编译出错问题的解决》。
当然以上做法,是完全禁止了应用的一些权限,有可能会造成运行不稳定,也许还需要多次尝试才能知道,去除那些权限之后,应用仍旧能够正常运行,这样花费的时间会比较多,但是针对我们这些非专业人士来说,应该算是一种比较妥当的控制应用滥用权限问题的解决方案之一。至于非用不可的预装应用也同样可以先ROOT,保存到SD卡上,再用同样的APK反编译工具修改后再安装回去。当然这个办法也不是万能的,有些应用可能删除某些危险权限后根本就不能正常运行了,更进一步,还需要配合着修改smali代码,当然这种情况下我们小白还是不用掺合了,直接删除这种应用就好了。
附,如果不太明白安卓权限,可以参看如下的列表:
android.permission.ACCESS_CHECKIN_PROPERTIES 允许读写访问 "properties"表在checkin数据库中,改值可以修改上传( Allows read/write access to the "properties" table inthe checkin database, to change values that get uploaded)
android.permission.ACCESS_COARSE_LOCATION 允许一个程序访问CellID或WiFi热点来获取粗略的位置(Allows an application to access coarse (e.g., Cell-ID, WiFi)location)
android.permission.ACCESS_FINE_LOCATION 允许一个程序访问精良位置(如GPS) (Allows an application to access fine(e.g., GPS) location)
android.permission.ACCESS_LOCATION_EXTRA_COMMANDS 允许应用程序访问额外的位置提供命令(Allows an application to access extra location provider commands)
android.permission.ACCESS_MOCK_LOCATION 允许程序创建模拟位置提供用于测试(Allows an application to create mock location providers fortesting)
android.permission.ACCESS_NETWORK_STATE 允许程序访问有关GSM网络信息(Allows applications to accessinformation about networks)
android.permission.ACCESS_SURFACE_FLINGER 允许程序使用SurfaceFlinger底层特性(Allows an application touse SurfaceFlinger's low level features)
android.permission.ACCESS_WIFI_STATE 允许程序访问Wi-Fi网络状态信息(Allows applications to accessinformation about Wi-Fi networks)
android.permission.ADD_SYSTEM_SERVICE 允许程序发布系统级服务(Allows an application to publish system-level services).
android.permission.BATTERY_STATS 允许程序更新手机电池统计信息(Allows an application to update the collected battery statistics)
android.permission.BLUETOOTH 允许程序连接到已配对的蓝牙设备(Allows applications to connect to paired bluetooth devices)
android.permission.BLUETOOTH_ADMIN 允许程序发现和配对蓝牙设备(Allows applications to discover and pair bluetooth devices)
android.permission.BRICK 请求能够禁用设备(非常危险)(Required to be able to disable the device (very dangerous!).)
android.permission.BROADCAST_PACKAGE_REMOVED 允许程序广播一个提示消息在一个应用程序包已经移除后(Allows an application to broadcast a notification that anapplication package has been removed)
android.permission.BROADCAST_STICKY .允许一个程序广播常用intents(Allows an application to broadcast sticky intents)
android.permission.CALL_PHONE 允许一个程序初始化一个电话拨号不需通过拨号用户界面需要用户确认(Allows an application to initiate a phone call without goingthrough the Dialer user interface for the user to confirm the call beingplaced.)
android.permission.CALL_PRIVILEGED 允许一个程序拨打任何号码,包含紧急号码无需通过拨号用户界面需要用户确认(Allows an application to call any phone number, including emergencynumbers, without going through the Dialer user interface for the user toconfirm the call being placed)
android.permission.CAMERA 请求访问使用照相设备(Required to be able to access the camera device. )
android.permission.CHANGE_COMPONENT_ENABLED_STATE 允许一个程序是否改变一个组件或其他的启用或禁用(Allows an application to change whether an application component(other than its own) is enabled or not. )
android.permission.CHANGE_CONFIGURATION 允许一个程序修改当前设置,如本地化(Allows an application to modify the current configuration, such aslocale. )
android.permission.CHANGE_NETWORK_STATE 允许程序改变网络连接状态(Allows applications to change network connectivity state)
android.permission.CHANGE_WIFI_STATE 允许程序改变Wi-Fi连接状态(Allows applications to changeWi-Fi connectivity state)
android.permission.CLEAR_APP_CACHE 允许一个程序清楚缓存从所有安装的程序在设备中(Allows an application to clear the caches of all installedapplications on the device. )
android.permission.CLEAR_APP_USER_DATA 允许一个程序清除用户设置(Allows an application to clear user data)
android.permission.CONTROL_LOCATION_UPDATES 允许启用禁止位置更新提示从无线模块(Allows enabling/disabling location update notifications from theradio. )
android.permission.DELETE_CACHE_FILES 允许程序删除缓存文件(Allows an application to delete cache files)
android.permission.DELETE_PACKAGES 允许一个程序删除包(Allows an application to delete packages)
android.permission.DEVICE_POWER 允许访问底层电源管理(Allows low-level access to power management)
android.permission.DIAGNOSTIC 允许程序RW诊断资源(Allows applications to RW todiagnostic resources. )
android.permission.DISABLE_KEYGUARD 允许程序禁用键盘锁(Allows applications to disable the keyguard )
android.permission.DUMP 允许程序返回状态抓取信息从系统服务(Allows an application to retrieve state dump information fromsystem services.)
android.permission.EXPAND_STATUS_BAR 允许一个程序扩展收缩在状态栏,Android开发网提示应该是一个类似Windows Mobile中的托盘程序(Allows an application to expand or collapse the status bar. )
android.permission.FACTORY_TEST 作为一个工厂测试程序,运行在root用户(Run as a manufacturer testapplication, running as the root user. )
android.permission.FLASHLIGHT 访问闪光灯,Android开发网提示HTC Dream不包含闪光灯(Allows access to the flashlight )
android.permission.FORCE_BACK 允许程序强行一个后退操作是否在顶层activities(Allows an application to force a BACK operation onwhatever is the top activity. )
android.permission.FOTA_UPDATE 暂时不了解这是做什么使用的,Android开发网分析可能是一个预留权限.
android.permission.GET_ACCOUNTS 访问一个帐户列表在Accounts Service中(Allows access to the listof accounts in the Accounts Service)
android.permission.GET_PACKAGE_SIZE 允许一个程序获取任何package占用空间容量(Allows an application to findout the space used by any package. )
android.permission.GET_TASKS 允许一个程序获取信息有关当前或最近运行的任务,一个缩略的任务状态,是否活动等等(Allows an application to get information about the currently orrecently running tasks: a thumbnail representation of the tasks, whatactivities are running in it, etc.)
android.permission.HARDWARE_TEST 允许访问硬件(Allows access to hardware peripherals. )
android.permission.INJECT_EVENTS 允许一个程序截获用户事件如按键、触摸、轨迹球等等到一个时间流,Android开发网提醒算是hook技术吧(Allows an application to inject user events (keys, touch, trackball)into the event stream and deliver them to ANY window.)
android.permission.INSTALL_PACKAGES 允许一个程序安装packages(Allows an application to install packages. )
android.permission.INTERNAL_SYSTEM_WINDOW 允许打开窗口使用系统用户界面(Allows an application to open windows that are for use by parts ofthe system user interface. )
android.permission.INTERNET 允许程序打开网络套接字(Allows applications to open network sockets)
android.permission.MANAGE_APP_TOKENS 允许程序管理(创建、催后、z -order默认向z轴推移)程序引用在窗口管理器中(Allows an application to manage(create, destroy, Z-order) application tokens in the window manager. )
android.permission.MASTER_CLEAR 目前还没有明确的解释,Android开发网分析可能是清除一切数据,类似硬格机
android.permission.MODIFY_AUDIO_SETTINGS 允许程序修改全局音频设置(Allows an application to modify global audio settings)
android.permission.MODIFY_PHONE_STATE 允许修改话机状态,如电源,人机接口等(Allows modification of the telephony state - power on, mmi, etc. )
android.permission.MOUNT_UNMOUNT_FILESYSTEMS 允许挂载和反挂载文件系统可移动存储(Allows mounting and unmounting file systems for removable storage.)
android.permission.PERSISTENT_ACTIVITY 允许一个程序设置他的activities显示(Allow an application to makeits activities persistent. )
android.permission.PROCESS_OUTGOING_CALLS 允许程序监视、修改有关播出电话(Allows an application to monitor, modify, or abort outgoing calls)
android.permission.READ_CALENDAR 允许程序读取用户日历数据(Allows an application to read the user's calendar data.)
android.permission.READ_CONTACTS 允许程序读取用户联系人数据(Allows an application to read the user's contacts data.)
android.permission.READ_FRAME_BUFFER 允许程序屏幕波或和更多常规的访问帧缓冲数据(Allows an application to take screen shots and more generally getaccess to the frame buffer data)
android.permission.READ_INPUT_STATE 允许程序返回当前按键状态(Allows an application to retrieve the current state of keys andswitches. )
android.permission.READ_LOGS 允许程序读取底层系统日志文件(Allows an application to read the low-level system log files. )
android.permission.READ_OWNER_DATA 允许程序读取所有者数据(Allows an application to read the owner's data)
android.permission.READ_SMS 允许程序读取短信息(Allows an application to read SMS messages.)
android.permission.READ_SYNC_SETTINGS 允许程序读取同步设置(Allows applications to read the sync settings)
android.permission.READ_SYNC_STATS 允许程序读取同步状态(Allows applications to read the sync stats)
android.permission.REBOOT 请求能够重新启动设备(Required to be able to reboot the device. )
android.permission.RECEIVE_BOOT_COMPLETED 允许一个程序接收到 ACTION_BOOT_COMPLETED广播在系统完成启动(Allows anapplication to receive the ACTION_BOOT_COMPLETED that is broadcast after thesystem finishes booting. )
android.permission.RECEIVE_MMS 允许一个程序监控将收到MMS彩信,记录或处理(Allowsan application to monitor incoming MMS messages, to record or performprocessing on them. )
android.permission.RECEIVE_SMS 允许程序监控一个将收到短信息,记录或处理(Allows an application to monitor incoming SMS messages, to record orperform processing on them.)
android.permission.RECEIVE_WAP_PUSH 允许程序监控将收到WAP PUSH信息(Allows an application to monitorincoming WAP push messages. )
android.permission.RECORD_AUDIO 允许程序录制音频(Allows an application to record audio)
android.permission.REORDER_TASKS 允许程序改变Z轴排列任务(Allows an application to change theZ-order of tasks)
android.permission.RESTART_PACKAGES 允许程序重新启动其他程序(Allows an application to restart other applications)
android.permission.SEND_SMS 允许程序发送SMS短信(Allows an application to send SMSmessages)
android.permission.SET_ACTIVITY_WATCHER 允许程序监控或控制activities已经启动全局系统中Allows an application towatch and control how activities are started globally in the system.
android.permission.SET_ALWAYS_FINISH 允许程序控制是否活动间接完成在处于后台时Allows an application to control whether activities are immediatelyfinished when put in the background.
android.permission.SET_ANIMATION_SCALE 修改全局信息比例(Modify the global animation scaling factor.)
android.permission.SET_DEBUG_APP 配置一个程序用于调试(Configure an application for debugging.)
android.permission.SET_ORIENTATION 允许底层访问设置屏幕方向和实际旋转(Allows low-level access to setting the orientation (actuallyrotation) of the screen.)
android.permission.SET_PREFERRED_APPLICATIONS 允许一个程序修改列表参数PackageManager.addPackageToPreferred() 和PackageManager.removePackageFromPreferred()方法(Allows an application to modify the list of preferred applicationswith the PackageManager.addPackageToPreferred() andPackageManager.removePackageFromPreferred() methods.)
android.permission.SET_PROCESS_FOREGROUND 允许程序当前运行程序强行到前台(Allows an application to force any currently running process to bein the foreground.)
android.permission.SET_PROCESS_LIMIT 允许设置最大的运行进程数量(Allows an application to set the maximum number of (not needed)application processes that can be running. )
android.permission.SET_TIME_ZONE 允许程序设置时间区域(Allows applications to set the system time zone)
android.permission.SET_WALLPAPER 允许程序设置壁纸(Allows applications to set the wallpaper )
android.permission.SET_WALLPAPER_HINTS 允许程序设置壁纸hits(Allows applications to set the wallpaper hints)
android.permission.SIGNAL_PERSISTENT_PROCESSES 允许程序请求发送信号到所有显示的进程中(Allow an application to request that a signal be sent to allpersistent processes)
android.permission.STATUS_BAR 允许程序打开、关闭或禁用状态栏及图标Allows an application to open, close, or disable the status bar andits icons.
android.permission.SUBSCRIBED_FEEDS_READ 允许一个程序访问订阅RSS Feed内容提供(Allows an application to allowaccess the subscribed feeds ContentProvider. )
android.permission.SUBSCRIBED_FEEDS_WRITE 系统暂时保留改设置,Android开发网认为未来版本会加入该功能。
android.permission.SYSTEM_ALERT_WINDOW 允许一个程序打开窗口使用 TYPE_SYSTEM_ALERT,显示在其他所有程序的顶层(Allows anapplication to open windows using the type TYPE_SYSTEM_ALERT, shown on top ofall other applications. )
android.permission.VIBRATE 允许访问振动设备(Allows access to the vibrator)
android.permission.WAKE_LOCK 允许使用PowerManager的 WakeLocks保持进程在休眠时从屏幕消失( Allows usingPowerManager WakeLocks to keep processor from sleeping or screen from dimming)
android.permission.WRITE_APN_SETTINGS 允许程序写入API设置(Allows applications to write the apnsettings)
android.permission.WRITE_CALENDAR 允许一个程序写入但不读取用户日历数据(Allows an application to write (but not read) the user's calendardata. )
android.permission.WRITE_CONTACTS 允许程序写入但不读取用户联系人数据(Allows an application to write (but not read) the user's contactsdata. )
android.permission.WRITE_GSERVICES 允许程序修改Google服务地图(Allows an application to modifythe Google service map. )
android.permission.WRITE_OWNER_DATA 允许一个程序写入但不读取所有者数据(Allows an application to write (but not read) the owner's data.)
android.permission.WRITE_SETTINGS 允许程序读取或写入系统设置(Allows an application to read or write the system settings. )
android.permission.WRITE_SMS 允许程序写短信(Allows an application to write SMS messages)
android.permission.WRITE_SYNC_SETTINGS 允许程序写入同步设置(Allows applications to write the sync settings
  评论这张
 
阅读(0)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017