針對目前越來越驗證的app隱私條款政策,收集app授權列表,並對的app授權進行驗證,應該是目前需要人防面臨的一個問題。
驗證app權限的使用,計劃三步完成:
- 收集app有關的權限列表
- 收集app調用的第三方的權限列表
- 收集app操作各階段的權限列表
先分享第一步的實現:
基本思路:
- 使用ADB鏈接的設備
- 使用dumpsys package xxx,篩選軟件包權限相關的信息
- 使用excel保存app的權限列表
Python腳本的實現:
# coding:utf-8
"""
@note:APP使用權限收集
@author: Qred
@file: PermissionList.py
@time: 2019/12/22
"""
import argparse
import os
import re
import time
import xlwt
class baseClass(object):
def __init__(self, phone_id, PACKAGE_NAME):
self.phone_id = phone_id
self.PACKAGE_NAME = PACKAGE_NAME
self.MAX_INVALID_LINE = 5
self.DECLARED_PERMISSIONS = 'declared permissions'
self.REQUESTED_PERMISSIONS = 'requested permissions'
self.INSTALL_PERMISSIONS = 'install permissions'
self.RUNTIME_PERMISSIONS = 'runtime permissions'
self.STOP_KEY = 'Package Changes:'
def dump_get_perminfo_line(self):
'''獲取授權列表'''
titles = []
locked = 0
Dict = {}
ret = self.dump_execute_perminfo()
for title in ret.readlines():
if len(title) == 0:
break
if locked != 0 and 'permission' in title:
title = re.sub(r"[:|,]", " ", title)
title = re.sub(r"(\[ | \])", "", title)
line = title.split()
titles.append(line)
if self.DECLARED_PERMISSIONS in title:
locked = 1
elif self.REQUESTED_PERMISSIONS in title:
Dict.update({self.DECLARED_PERMISSIONS: titles[:-1]})
titles = []
locked = 2
elif self.INSTALL_PERMISSIONS in title:
Dict.update({self.REQUESTED_PERMISSIONS: titles[:-1]})
titles = []
locked = 3
elif self.RUNTIME_PERMISSIONS in title:
Dict.update({self.INSTALL_PERMISSIONS: titles[:-1]})
titles = []
locked = 4
elif self.STOP_KEY in title:
Dict.update({self.RUNTIME_PERMISSIONS: titles[:-2]})
titles = []
locked = 5
return Dict
def dump_execute_perminfo(self):
'''獲取命令行所有數據'''
ret = 0
if self.phone_id != '':
cmd = "adb -s " + self.phone_id + " shell dumpsys package " + self.PACKAGE_NAME
ret = os.popen(cmd)
else:
cmd = "adb shell dumpsys package " + self.PACKAGE_NAME
ret = os.popen(cmd)
# print(cmd)
return ret
def write_info_excel(self):
'''將數據寫入excel'''
Dict = self.dump_get_perminfo_line()
time_stamp = time.strftime(time.strftime("%Y-%m-%d-%H-%M-%S", time.localtime()))
if self.phone_id != '' :
phone_id = self.phone_id[0:3] + '_p'
else:
phone_id = 'P'
path = os.getcwd() + '\\' + phone_id + "ermissionList_" + time_stamp + ".xlsx"
Excel = xlwt.Workbook()
WorkSheet = Excel.add_sheet("permission_list")
i = 0
for key in Dict.keys():
j = 0
WorkSheet.write(i, j, key)
j += 1
for values in Dict[key]:
k = j
for val in values:
WorkSheet.write(i, k, val)
k += 1
i += 1
Excel.save(path) # 保存文件
def arg():
# 命令行解析器
# -d 設備id
# -p 測試應用包名,默認值:com.kascend.chushou
# -h 幫助文檔
parse = argparse.ArgumentParser(usage='This script is mainly used to get performance data \n 此腳本主要用於獲取權限數據',
description='Devices is required, and the package name (the default is Baidu APP) \n 需傳參設備devices,包名(默認是boss直聘APP)')
parse.add_argument('-d', help='devices', type=str, nargs='?', default=None)
parse.add_argument('-p', help='package name', type=str, nargs='?', default=None)
args = parse.parse_args()
# print vars(args)
return args
def initParameters():
global DEVICE_ID, PACKAGE_NAME, PRINT_OR_WRITE
args = arg()
if args.d != None: # devices
DEVICE_ID = args.d
else:
DEVICE_ID = ''
if args.p != None: # 包名
PACKAGE_NAME = args.p
if args.p == None: # 包名
PACKAGE_NAME = 'com.hpbr.bosszhipin'
if __name__ == '__main__':
initParameters()
# 指定DEVICE_ID, PACKAGE_NAME後,可直接運行腳本
tmp = baseClass(DEVICE_ID, PACKAGE_NAME) # '', 'com.hpbr.bosszhipin'
tmp.write_info_excel()
腳本的使用:
1.查看已連接的設備:
adb devices
2.在腳本所在的路徑下,調用腳本
python PermissionList.py -d device_id -p com.xxx.xxx
3.在同級的目錄下會有對應的含有“permissions”名稱的excel生成。
————供大家參考——————