[移动开发]安卓端自行实现工信部要求的隐私合规定位问题检测

我们公司上架的app被打回来了。信通院那边出了个报告，说定频获取了位置信息

直接上代码

import android.content.Context;
import android.location.LocationManager;
import android.util.Log;

import java.lang.reflect.Field;
import java.lang.reflect.Proxy;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Set;

public class HookHelper {
public static final String TAG = “LocationHook”;

private static final Set<Object> hooked = new HashSet<>();

public static void hookSystemServiceRegistry(){
    try {
        Object systemServiceFetchers  = null;
        Class locationManagerClazsz = Class.forName("android.app.SystemServiceRegistry");
        //获取SystemServiceRegistry的SYSTEM_SERVICE_FETCHERS成员
        systemServiceFetchers = getField(locationManagerClazsz, null, "SYSTEM_SERVICE_FETCHERS");
        if(systemServiceFetchers instanceof HashMap){
            HashMap fetchersMap = (HashMap) systemServiceFetchers;
            Object locationServiceFetcher = fetchersMap.get(Context.LOCATION_SERVICE);
            Class serviceFetcheClazz = Class.forName("android.app.SystemServiceRegistry$ServiceFetcher");
            //创建代理类
            Object proxy = Proxy.newProxyInstance(Thread.currentThread().getContextClassLoader(),
                    new Class[] { serviceFetcheClazz }, new LMCachedServiceFetcherProxy(locationServiceFetcher));
            //用代理类替换掉原来的ServiceFetcher
            if(fetchersMap.put(Context.LOCATION_SERVICE, proxy) == locationServiceFetcher){
                Log.d("LocationTest", "hook success! ");
            }
        }
    } catch (Exception e) {
        e.printStackTrace();
    }
}

public static void hookLocationManager(LocationManager locationManager) {
    try {
        Object iLocationManager = null;
        Class locationManagerClazsz = Class.forName("android.location.LocationManager");
        //获取LocationManager的mService成员
        iLocationManager = getField(locationManagerClazsz, locationManager, "mService");

        if(hooked.contains(iLocationManager)){
            return;//这个实例已经hook过啦
        }

        Class iLocationManagerClazz = Class.forName("android.location.ILocationManager");

        //创建代理类
        Object proxy = Proxy.newProxyInstance(Thread.currentThread().getContextClassLoader(),
                new Class[]{iLocationManagerClazz}, new ILocationManagerProxy(iLocationManager));

        //在这里移花接木，用代理类替换掉原始的ILocationManager
        setField(locationManagerClazsz, locationManager, "mService", proxy);
        //记录已经hook过的实例
        hooked.add(proxy);
    } catch (Exception e) {
        e.printStackTrace();
    }
}

public static Object getField(Class clazz, Object target, String name) throws Exception {
    Field field = clazz.getDeclaredField(name);
    field.setAccessible(true);
    return field.get(target);
}

public static void setField(Class clazz, Object target, String name, Object value) throws Exception {
    Field field = clazz.getDeclaredField(name);
    field.setAccessible(true);
    field.set(target, value);
}

}

public class ILocationManagerProxy implements InvocationHandler {
private Object mLocationManager;

public ILocationManagerProxy(Object locationManager) {
    this.mLocationManager = locationManager;
}

@Override
public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {
    Log.d("ILocationManagerProxy",method.getName());

    if (TextUtils.equals("requestLocationUpdates", method.getName())
            ||TextUtils.equals("getLastKnownLocation", method.getName())
    ||TextUtils.equals("getLastLocation", method.getName())) {
        //获取当前函数调用栈
        Log.d("getStackTraceString",Log.getStackTraceString(new Throwable("ILocationManagerProxy")));
        StackTraceElement[] stackTrace = Thread.currentThread().getStackTrace();

        if (stackTrace == null || stackTrace.length == 3) {
            return null;
        }
        StackTraceElement log = stackTrace[2];
        String invoker = null;
        boolean foundLocationManager = false;
        for (int i = 0; i < stackTrace.length; i++) {
            StackTraceElement e = stackTrace[i];
            if (TextUtils.equals(e.getClassName(), "android.location.LocationManager")) {
                foundLocationManager = true;
                continue;
            }
            //找到LocationManager外层的调用者
            if (foundLocationManager && !TextUtils.equals(e.getClassName(), "android.location.LocationManager")) {
                invoker = e.getClassName() + "." + e.getMethodName();
                //此处可将定位接口的调用者信息根据自己的需求进行记录，这里我将调用类、函数名、以及参数打印出来
                Log.d("LocationTest", "invoker is " + invoker + "(" + args + ")");
                break;
            }
        }
    }
    return method.invoke(mLocationManager, args);
}

}

import android.location.LocationManager;
import android.text.TextUtils;

import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Method;

public class LMCachedServiceFetcherProxy implements InvocationHandler {

private Object mLMCachedServiceFetcher;

public LMCachedServiceFetcherProxy(Object LMCachedServiceFetcher) {
    this.mLMCachedServiceFetcher = LMCachedServiceFetcher;
}

@Override
public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {
    //为什么拦截getService，而不是createService?
    if(TextUtils.equals(method.getName(), "getService")){
        Object result = method.invoke(mLMCachedServiceFetcher, args);
        if(result instanceof LocationManager){
            //在这里hook LocationManager
            HookHelper.hookLocationManager((LocationManager)result);
        }
        return result;
    }
    return method.invoke(mLMCachedServiceFetcher, args);
}

}