wip

2025-01-31 18:41:29 +01:00 · 2025-01-31 18:41:29 +01:00 · 3996bf1b2e
commit 3996bf1b2e
parent c423a3f5cd
7 changed files with 390 additions and 13 deletions
--- a/test_apks/tests/.gitignore
+++ b/test_apks/tests/.gitignore
@ -0,0 +1,3 @@
+build
+ToyKey.keystore
+java/classes/com/example/theseus/reflection/R.java
--- a/test_apks/tests/AndroidManifest.xml
+++ b/test_apks/tests/AndroidManifest.xml
@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest 
+    xmlns:android="http://schemas.android.com/apk/res/android" 
+    android:compileSdkVersion="34"
+	package="com.example.theseus.tests">
+    <uses-sdk android:minSdkVersion="28" android:targetSdkVersion="34"/>
+    <!--uses-permission android:name="android.permission.WRITE_CONTACTS"/-->
+
+    <application
+        android:supportsRtl="true"
+            android:label="Tests">
+        <activity android:name=".MainActivity"
+            android:exported="true">
+            <intent-filter>
+              <action android:name="android.intent.action.MAIN" />
+              <category android:name="android.intent.category.LAUNCHER" />
+            </intent-filter>
+        </activity>
+    </application>
+
+</manifest>
--- a/test_apks/tests/Makefile
+++ b/test_apks/tests/Makefile
@ -0,0 +1,67 @@
+VERSION=34.0.0
+SDK_TOOLS=$(HOME)/Android/Sdk
+JAVA_PATH=/usr/lib/jvm/java-17-openjdk/bin
+JAVAC=/usr/lib/jvm/java-17-openjdk/bin/javac
+JAR=/usr/lib/jvm/java-17-openjdk/bin/jar
+PYTHON=python3
+APP=tests
+
+PACKAGE=com.example.theseus.tests
+MAIN_ACTIVITY=MainActivity
+
+JAVAC_ARGS =
+D8_ARGS = 
+
+
+VERSION_B=$(basename $(basename $(VERSION)))
+
+pass=ahahah
+
+export PATH := $(JAVA_PATH):$(PATH)
+
+all: $(shell mkdir -p build)
+all: clean build/$(APP).apk
+signature_v1: clean build/$(APP).v1.apk
+
+debug: JAVAC_ARGS += -g
+debug: D8_ARGS += --debug
+debug: all
+
+test: all
+	adb install build/$(APP).apk
+	adb shell am start -n $(PACKAGE)/.$(MAIN_ACTIVITY)
+
+build/%.v1signed.apk: ./build/%.unsigned.apk ./ToyKey.keystore
+	jarsigner -verbose -keystore ./ToyKey.keystore -storepass $(pass) -keypass $(pass) -signedjar $@ $< SignKey
+
+build/%.v1.apk: ./build/%.v1signed.apk
+	$(SDK_TOOLS)/build-tools/$(VERSION)/zipalign -v -f 4 $< $@
+
+# TODO: fix dep somehow? cannot find a way to use % or $* in (shell ..)
+build/%/classes: $(shell find java/ -type f -regex ".*\.java" )
+	mkdir -p ./build/$*/classes
+	$(JAVAC) $(JAVAC_ARGS) -d ./build/$*/classes -classpath build/deps.jar:$(SDK_TOOLS)/platforms/android-$(VERSION_B)/android.jar $$(find java/$*/ -type f -regex ".*\.java")
+
+build/%/classes.dex: build/%/classes
+	mkdir -p ./build/$*
+	$(SDK_TOOLS)/build-tools/$(VERSION)/d8 $(D8_ARGS) --classpath $(SDK_TOOLS)/platforms/android-$(VERSION_B)/android.jar $(shell find build/$*/classes -type f -regex ".*\.class" -printf "'%p'\n") --output ./build/$*/
+
+build/%.unsigned.apk: build/classes/classes.dex
+	mkdir -p ./build/$*_files
+	mv ./build/classes/classes.dex ./build/$*_files/classes.dex
+	$(SDK_TOOLS)/build-tools/$(VERSION)/aapt package -v -f -M ./AndroidManifest.xml -I $(SDK_TOOLS)/platforms/android-$(VERSION_B)/android.jar -F $@ ./build/$*_files
+
+build/%.v2aligned.apk: ./build/%.unsigned.apk ./ToyKey.keystore
+	$(SDK_TOOLS)/build-tools/$(VERSION)/zipalign -v -f 4 $< $@
+
+build/%.apk: ./build/%.v2aligned.apk
+	$(SDK_TOOLS)/build-tools/$(VERSION)/apksigner sign -ks ./ToyKey.keystore --v2-signing-enabled true --in $< --out $@ --ks-pass pass:$(pass)
+
+ToyKey.keystore :
+	keytool -genkeypair -validity 1000 -dname "CN=SomeKey,O=SomeOne,C=FR" -keystore $@ -storepass $(pass) -keypass $(pass) -alias SignKey -keyalg RSA -v
+
+clean:
+	$(RM) -r build/*
+
+clean_all: clean
+	$(RM) ToyKey.keystore
--- a/test_apks/tests/java/classes/com/example/theseus/tests/MainActivity.java
+++ b/test_apks/tests/java/classes/com/example/theseus/tests/MainActivity.java
@ -0,0 +1,110 @@
+package com.example.theseus.tests;
+
+import android.app.Activity;
+import android.os.Bundle;
+import android.util.Log;
+
+import java.lang.ClassLoader;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+import java.lang.reflect.Constructor;
+import java.lang.ClassNotFoundException;
+import java.util.Arrays;
+
+import android.util.Log;
+
+import com.example.theseus.Utils;
+
+public class MainActivity extends Activity {
+
+    @Override
+    protected void onCreate(Bundle savedInstanceState) {
+        super.onCreate(savedInstanceState);
+        try {
+            //callVirtualMethod();
+            callVirtualMethodReflectCall();
+            //callConstructorVirtualMethodReflectConstr();
+            //callVirtualMethodReflectOldConst();
+        } catch(Exception e) {
+            Log.e("THESEUS", "Error: ", e);
+        }
+    }
+
+    // A normal virtual method call
+    public void callVirtualMethod() {
+        String data = Utils.source("no reflect virt call");
+        Reflectee r = new Reflectee("R1");
+        String newData = r.transfer(data);
+        Utils.sink(this, newData);
+    }
+
+    // A call to a virtual method through reflection
+    public void callVirtualMethodReflectCall() throws
+        ClassNotFoundException,
+        NoSuchMethodException,
+        IllegalAccessException,
+        InvocationTargetException
+    {
+        String data = Utils.source("reflect virt call");
+        Reflectee r = new Reflectee("R2");
+        ClassLoader cl = MainActivity.class.getClassLoader();
+        Class clz = cl.loadClass("com.example.theseus.tests.Reflectee");
+        Method mth = clz.getMethod("transfer", String.class);
+        String name = mth.getName();
+        Class[] params = mth.getParameterTypes();
+        Class ret = mth.getReturnType();
+        Class dec = mth.getDeclaringClass();
+        Log.e("[TEST]", "---------------------------------");
+        Log.e("[TEST]", name);
+        Log.e("[TEST]", params.toString());
+        Log.e("[TEST]", ret.toString());
+        Log.e("[TEST]", dec.toString());
+        Log.e("[TEST]", "---------------------------------");
+        if (name.equals("transfer") && Arrays.equals(params, new Class[] {String.class}) && ret == String.class && dec == Reflectee.class) {
+            Log.e("[TEST]", "OK");
+        }
+        String newData = (String) mth.invoke(r, data);
+        Utils.sink(this, newData);
+    }
+
+    // A call to a virtual method through reflection using an object instanciated 
+    // through reflection. The sensitive data is passed to the constructor.
+    public void callConstructorVirtualMethodReflectConstr() throws 
+        ClassNotFoundException,
+        NoSuchMethodException,
+        IllegalAccessException,
+        InvocationTargetException,
+        InstantiationException
+    {
+        String data = Utils.source("no reflect constr");
+        ClassLoader cl = MainActivity.class.getClassLoader();
+        Class clz = cl.loadClass("com.example.theseus.reflection.Reflectee");
+        Constructor cst = clz.getDeclaredConstructor(String.class);
+        Object r = cst.newInstance(data);
+        Method mth = clz.getMethod("transfer", String.class);
+        String newData = (String) mth.invoke(r, "");
+        Utils.sink(this, newData);
+    }
+
+    // A call to a virtual method through reflection using an object instanciated 
+    // through reflection using a deprecated method.
+    public void callVirtualMethodReflectOldConst() throws
+        ClassNotFoundException,
+        NoSuchMethodException,
+        IllegalAccessException,
+        InvocationTargetException,
+        InstantiationException
+    {
+        String data = Utils.source("no reflect constr");
+        ClassLoader cl = MainActivity.class.getClassLoader();
+        Class clz = cl.loadClass("com.example.theseus.reflection.Reflectee");
+        Object r = clz.newInstance();
+        Method mth = clz.getMethod("transfer", String.class);
+        String newData = (String) mth.invoke(r, data);
+        Utils.sink(this, newData);
+    }
+
+    // TODO: many argument methods
+    // TODO: static
+    // TODO: factory patern 
+}
--- a/test_apks/tests/java/classes/com/example/theseus/tests/Reflectee.java
+++ b/test_apks/tests/java/classes/com/example/theseus/tests/Reflectee.java
@ -0,0 +1,19 @@
+package com.example.theseus.tests;
+
+
+public class Reflectee {
+
+    String name;
+
+    public Reflectee() {
+        this.name = "";
+    }
+
+    public Reflectee(String name) {
+        this.name = "[" + name + "] ";
+    }
+
+    public String transfer(String data) {
+        return name + data;
+    }
+}
--- a/test_apks/tests/java/classes/com/example/theseus/tests/Utils.java
+++ b/test_apks/tests/java/classes/com/example/theseus/tests/Utils.java
@ -0,0 +1,26 @@
+package com.example.theseus;
+
+import android.app.Activity;
+import android.app.AlertDialog;
+
+
+public class Utils {
+    public static String source() {
+        return "Secret";
+    }
+    public static String source(String tag) {
+        return "[" + tag + "] Secret";
+    }
+
+    public static void popup(Activity ac, String title, String msg) {
+        (new AlertDialog.Builder(ac))
+            .setMessage(msg)
+            .setTitle(title)
+            .create()
+            .show();
+    }
+
+    public static void sink(Activity ac, String data) {
+        popup(ac, "Data leak:", data);
+    }
+}