APK安装时的过滤方式:包名白名单、证书认证
1.定义一些全局变量,文件位置:
Build.java (frameworks\base\core\java\android\os)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | /** * 包管理方式名称<br> * whitelist: 白名单方式 * certificate: 证书认证方式 * none: 不进行管理 */ public static String packageManage = "none" ; /** * 允许 Launch 显示的 APP 及 APP 白名单 */ public static String[] packageAllow = new String[]{ "com.baidu.searchbox" , "com.thinta.product.thintazlib" , "com.thinta.product.x4usertool" }; /** * 允许 Launch 显示的 APP的 证书存放路径 */ public static String certificatePath = "/system/etc/security/media.zip" ; |
2.修改安装APK过程,在安装过程添加验证
修改文件的位置:
PackageManagerService.java (frameworks\base\services\core\java\com\android\server\pm)
首先添加一个函数:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | private static HashSet<X509Certificate> getTrustedCerts(File keystore) throws IOException, GeneralSecurityException { HashSet<X509Certificate> trusted = new HashSet<X509Certificate>(); if (keystore == null ) { return trusted; } ZipFile zip = new ZipFile(keystore); try { CertificateFactory cf = CertificateFactory.getInstance( "X.509" ); Enumeration<? extends ZipEntry> entries = zip.entries(); while (entries.hasMoreElements()) { ZipEntry entry = entries.nextElement(); InputStream is = zip.getInputStream(entry); try { trusted.add((X509Certificate) cf.generateCertificate(is)); } finally { is.close(); } } } finally { zip.close(); } return trusted; } |
修改的函数:private void installPackageLI(InstallArgs args, PackageInstalledInfo res)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 | 第一处修改:<br> if (Build.ThintaCust.packageManage.equals( "certificate" )) tmp_flags = PackageManager.GET_SIGNATURES; final int parseFlags = mDefParseFlags | PackageParser.PARSE_CHATTY | (forwardLocked ? PackageParser.PARSE_FORWARD_LOCK : 0 ) | (onSd ? PackageParser.PARSE_ON_SDCARD : 0 ) | tmp_flags; 第二处修改: if (Build.ThintaCust.packageManage.equals( "none" )){ Log.d( "XYP_DEBUG" , "packageManage = none \n" ); } else if (Build.ThintaCust.packageManage.equals( "whitelist" )){ Log.d( "XYP_DEBUG" , "packageManage = whitelist \n" ); List<String> list = Arrays.asList(Build.ThintaCust.packageAllow); if (list.contains(pkg.packageName)){ Log.d( "XYP_DEBUG" , "can install \n" ); } else { Log.d( "XYP_DEBUG" , "forbid install \n" ); res.setError(PackageManager.INSTALL_FAILED_USER_RESTRICTED, "installPackageLI, forbid install" ); return ; } } else if (Build.ThintaCust.packageManage.equals( "certificate" )){ int verify_pass = 0 ; try { File file = new File(Build.ThintaCust.certificatePath); HashSet<X509Certificate> trusted = getTrustedCerts(file); CertificateFactory cf = CertificateFactory.getInstance( "X.509" ); for (X509Certificate c : trusted) { String tmp_public_key = c.getPublicKey().toString(); for (Signature sig : pkg.mSignatures) { X509Certificate cert = (X509Certificate)cf.generateCertificate( new ByteArrayInputStream(sig.toByteArray())); String tmp_key = cert.getPublicKey().toString(); if (tmp_public_key.equals(tmp_key)){ verify_pass = 1 ; break ; } } if (verify_pass == 1 ) break ; } if (verify_pass != 1 ){ Log.d( "XYP_DEBUG" , "forbid install \n" ); res.setError(PackageManager.INSTALL_FAILED_USER_RESTRICTED, "installPackageLI, forbid install" ); return ; } } catch (FileNotFoundException e){ Log.d( "XYP_DEBUG" , e.toString()); } catch (CertificateException e){ Log.d( "XYP_DEBUG" , e.toString()); } catch (IOException e){ Log.d( "XYP_DEBUG" , e.toString()); } catch (GeneralSecurityException e){ Log.d( "XYP_DEBUG" , e.toString()); } } |
3.证书的压缩方式:
zip -r media.zip media.x509.pem
直接用命令把*.x509.pem 打包成zip文件,然后放到目标板的合适位置;
用第一步中的certificatePath指向存放该zip文件的位置。
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】凌霞软件回馈社区,博客园 & 1Panel & Halo 联合会员上线
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】博客园社区专享云产品让利特惠,阿里云新客6.5折上折
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步