最近在研究https加密通信的android端的數據包抓取研究
有兩個思路:
1.通過taintdroid在相應的https請求java調用接口處打印log日誌方法;編寫https請求demo apk,驗證日誌輸出
2.通過源碼級工具調試,在https請求相應地方下斷點,進行數據追蹤
目前,研究taintdroid基礎上,做了一些嘗試:
1.首先熟悉下載和編譯taintdroid步驟,以下爲官方網站:
http://appanalysis.org/download.html
編譯之前的環境配置工作參照android官方網站:http://source.android.com/source/initializing.html
建議:ubuntu12.04 64位,swap空間設置12G以上,硬盤空間50G以上
2.查看源碼,在https調用api處,打印日誌,打印出通信內容;
根據taintdroid中的追蹤ssl加密通信代碼,可知通信使用的類如下:
\libcore\luni\src\main\java\org\apache\harmony\xnet\provider\jsse\OpenSSLSocketImpl.java
具體taintdroid代碼如下:
public void write(byte[] buf, int offset, int byteCount) throws IOException {
BlockGuard.getThreadPolicy().onNetwork();
synchronized (writeLock) {
checkOpen();
Arrays.checkOffsetAndCount(buf.length, offset, byteCount);
if (byteCount == 0) {
return;
}
// begin WITH_TAINT_TRACKING
int tag = Taint.getTaintByteArray(buf);
FileDescriptor fd = socket.getFileDescriptor$();
if (tag != Taint.TAINT_CLEAR) {
int disLen = byteCount;
if (byteCount > Taint.dataBytesToLog) {
disLen = Taint.dataBytesToLog;
}
// We only display at most Taint.dataBytesToLog characters in logcat
String dstr = new String(buf, offset, disLen);
// replace non-printable characters
dstr = dstr.replaceAll("\\p{C}", ".");
String addr = (fd.hasName) ? fd.name : "unknown";
String tstr = "0x" + Integer.toHexString(tag);
Taint.log("SSLOutputStream.write(" + addr + ") received data with tag " + tstr + " data=[" + dstr + "]");
}
// end WITH_TAINT_TRACKING
NativeCrypto.SSL_write(sslNativePointer, socket.getFileDescriptor$(),
OpenSSLSocketImpl.this, buf, offset, byteCount);
}
}
代碼中if (tag != Taint.TAINT_CLEAR)判斷是否爲污點標記數據,是,則通過Taint.log()來實現logcat日誌輸出,這裏爲了實現所有的輸出打印,刪除判斷條件,打印所有數據:
String dstr = new String(buf, offset, byteCount);
dstr = dstr.replaceAll("\\p{C}", ".");
Taint.log("SSLOutputStream.write(1111) received data with tag 2222 data=[" + dstr + "]");
3.編譯相應ROM,刷機到相應手機,此處使用的nexus4
4.編寫https請求apk demo
參照博客,代碼完全相同,修改url地址即可
http://blog.csdn.net/yzwlord/article/details/9565821
5.在刷好rom的運行APK,打開logcat日誌,查看打印輸出
使用如下命令
adb shell logcat -v time *:S TaintLog:*
注:筆者認爲此方法應該完全可行,但是實際效果卻是沒有ssloutput日誌輸出。此處記錄一下我的實踐過程,供大家參考!