code push

attack/src/androidTest/java/mi/attackactivity/ExampleInstrumentedTest.java

@@ -0,0 +1,26 @@
+package mi.attackactivity;
+
+import android.content.Context;
+import android.support.test.InstrumentationRegistry;
+import android.support.test.runner.AndroidJUnit4;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import static org.junit.Assert.*;
+
+/**
+ * Instrumentation test, which will execute on an Android device.
+ *
+ * @see <a href="http://d.android.com/tools/testing">Testing documentation</a>
+ */
+@RunWith(AndroidJUnit4.class)
+public class ExampleInstrumentedTest {
+    @Test
+    public void useAppContext() throws Exception {
+        // Context of the app under test.
+        Context appContext = InstrumentationRegistry.getTargetContext();
+
+        assertEquals("mi.attackactivity", appContext.getPackageName());
+    }
+}

attack/src/main/AndroidManifest.xml

@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="mi.attackactivity">
+    <uses-permission android:name="android.permission.BIND_ACCESSIBILITY_SERVICE" />
+    <application
+        android:allowBackup="true"
+        android:icon="@mipmap/ic_launcher"
+        android:label="@string/app_name"
+        android:roundIcon="@mipmap/ic_launcher_round"
+        android:supportsRtl="true"
+        android:theme="@style/AppTheme">
+        <activity android:name=".MainActivity">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+
+                <category android:name="android.intent.category.LAUNCHER" />
+            </intent-filter>
+        </activity>
+
+        <service android:enabled="true" android:exported="true"  android:name=".MyAccessibilityService"
+            android:permission="android.permission.BIND_ACCESSIBILITY_SERVICE">
+            <intent-filter>
+                <action android:name="android.accessibilityservice.AccessibilityService" />
+            </intent-filter>
+            <meta-data
+                android:name="android.accessibilityservice"
+                android:resource="@xml/accessibility_service_config" />
+        </service>
+
+    </application>
+
+</manifest>

attack/src/main/aidl/mi/protectactivity/IMyAidlInterface.aidl

@@ -0,0 +1,9 @@
+// IMyAidlInterface.aidl
+package mi.protectactivity;
+
+// Declare any non-default types here with import statements
+
+interface IMyAidlInterface {
+
+    void startProtectActivity(String userid);
+}

attack/src/main/java/mi/attackactivity/MainActivity.java

@@ -0,0 +1,157 @@
+package mi.attackactivity;
+
+import android.app.Instrumentation;
+import android.content.ComponentName;
+import android.content.Context;
+import android.content.Intent;
+import android.content.ServiceConnection;
+import android.net.Uri;
+import android.os.IBinder;
+import android.os.RemoteException;
+import android.support.annotation.Nullable;
+import android.support.v7.app.AppCompatActivity;
+import android.os.Bundle;
+import android.util.Log;
+import android.view.View;
+import android.widget.Button;
+import android.widget.TextView;
+import android.widget.Toast;
+
+import java.lang.reflect.Field;
+
+import mi.protectactivity.IMyAidlInterface;
+
+public class MainActivity extends AppCompatActivity {
+
+    @Override
+    protected void onCreate(Bundle savedInstanceState) {
+        super.onCreate(savedInstanceState);
+        setContentView(R.layout.activity_main);
+
+        TextView textView = (TextView) findViewById(R.id.ref);
+        TextView textView1 = (TextView) findViewById(R.id.ser);
+
+
+        SecButton secButton = (SecButton) findViewById(R.id.button);
+
+//        secButton.setAccessibilityDelegate(new View.AccessibilityDelegate(){
+//            @Override
+//            public boolean performAccessibilityAction(View host, int action, Bundle args) {
+//                return true;
+//            }
+//        });
+
+//        reflectSetReferrer();
+
+//        reflectBasePackageName();
+        secButton.setOnClickListener(new View.OnClickListener() {
+            @Override
+            public void onClick(View v) {
+                Toast.makeText(getApplicationContext(),"click!!!!!",Toast.LENGTH_SHORT).show();
+            }
+        });
+
+
+
+
+        textView.setOnClickListener(new View.OnClickListener() {
+            @Override
+            public void onClick(View v) {
+//                Intent intent = new Intent("just.export");
+                Intent intent = new Intent();
+                intent.setClassName("mi.protectactivity","mi.protectactivity.ProtectByReferrer");
+                intent.putExtra(Intent.EXTRA_REFERRER,Uri.parse("android-app://mi.bbbbbbbb"));
+                intent.putExtra(Intent.EXTRA_REFERRER_NAME, "android-app://mi.ccccccc");
+
+                startActivity(intent);
+            }
+        });
+
+        textView1.setOnClickListener(new View.OnClickListener() {
+            @Override
+            public void onClick(View v) {
+                Intent intent =  new Intent();
+                intent.setClassName("mi.protectactivity","mi.protectactivity.MyService");
+                ServiceConnection conn = new ServiceConnection() {
+                    @Override
+                    public void onServiceConnected(ComponentName name, IBinder service) {
+                        try {
+                            IMyAidlInterface.Stub.asInterface(service).startProtectActivity("0");
+                        } catch (RemoteException e) {
+                            e.printStackTrace();
+                        }
+                    }
+
+                    @Override
+                    public void onServiceDisconnected(ComponentName name) {
+
+                    }
+                };
+                bindService(intent,conn, Context.BIND_AUTO_CREATE);
+            }
+        });
+    }
+
+    @Override
+    public Uri getReferrer() {
+        return super.getReferrer();
+    }
+
+    @Override
+    public Uri onProvideReferrer() {
+        super.onProvideReferrer();
+        Uri uri = Uri.parse("android-app://mi.aaaaaaaaa");
+        return uri;
+    }
+
+//    private String reflectSetReferrer() {
+//        String referrer = new String();
+//        try {
+//            Class activityClass = Class.forName("android.app.Activity");
+//
+//            Field refererField = activityClass.getDeclaredField("mReferrer");
+//            refererField.setAccessible(true);
+//            referrer = (String) refererField.get(this);
+//            Log.e("1",referrer);
+//
+//            refererField.set(this,"mi.xxxxxxxx");
+//
+//            referrer = (String) refererField.get(this);
+//
+//            Log.e("2",referrer);
+//
+//        } catch (IllegalAccessException e) {
+//            e.printStackTrace();
+//        } catch (NoSuchFieldException e) {
+//            e.printStackTrace();
+//        } catch (ClassNotFoundException e) {
+//            e.printStackTrace();
+//        }
+//        return referrer;
+//
+//    }
+
+    private String reflectBasePackageName(){
+
+        try {
+            Class contextImplClass = Class.forName("android.app.ContextImpl");
+            Field mBasePackageNameField = contextImplClass.getDeclaredField("mBasePackageName");
+
+            //java.lang.IllegalArgumentException: Expected receiver of type android.app.ContextImpl, but got android.app.Application
+            Context context = getBaseContext();
+            //java.lang.IllegalAccessException: Cannot set private final  field java.lang.String android.app.ContextImpl.mBasePackageName of class java.lang.Class<android.app.ContextImpl>
+            mBasePackageNameField.setAccessible(true);
+            mBasePackageNameField.set(context,"mi.hello");
+        } catch (ClassNotFoundException e) {
+            e.printStackTrace();
+        } catch (NoSuchFieldException e) {
+            e.printStackTrace();
+        } catch (IllegalAccessException e) {
+            e.printStackTrace();
+        }
+
+        return "";
+    }
+
+
+}

attack/src/main/java/mi/attackactivity/MyAccessibilityService.java

@@ -0,0 +1,52 @@
+package mi.attackactivity;
+
+import android.accessibilityservice.AccessibilityService;
+import android.util.Log;
+import android.view.accessibility.AccessibilityEvent;
+import android.view.accessibility.AccessibilityNodeInfo;
+
+import java.util.List;
+
+/**
+ * Created by magic on 2017/8/17.
+ */
+
+public class MyAccessibilityService extends AccessibilityService {
+    private static final String TAG = MyAccessibilityService.class.getSimpleName();
+
+    @Override
+    public void onAccessibilityEvent(AccessibilityEvent event) {
+        int type = event.getEventType();
+        Log.e(TAG, "ACC::onAccessibilityEvent: " + type);
+        switch (type)
+        {
+            case AccessibilityEvent.TYPE_WINDOW_STATE_CHANGED:
+                AccessibilityNodeInfo nodeInfo  = getRootInActiveWindow();
+                if (nodeInfo!=null){
+                    if (event.getPackageName().equals("mi.attackactivity")&&event.getClassName().equals("mi.attackactivity.MainActivity")){
+                        List<AccessibilityNodeInfo> list=
+//                                nodeInfo.findAccessibilityNodeInfosByText("Button");
+                                nodeInfo.findAccessibilityNodeInfosByViewId("mi.attackactivity:id/button");
+                        if(list!=null&&list.size()>0)
+                        {
+                            list.get(0).performAction(AccessibilityNodeInfo.ACTION_CLICK);
+                        }
+                    }
+                }
+                break;
+        }
+
+    }
+
+
+    @Override
+    public void onInterrupt() {
+        Log.e(TAG,"onInterrupt");
+    }
+
+    @Override
+    protected void onServiceConnected() {
+        super.onServiceConnected();
+        Log.e(TAG,"onServiceConnected");
+    }
+}

attack/src/main/java/mi/attackactivity/SecButton.java

@@ -0,0 +1,39 @@
+package mi.attackactivity;
+
+import android.content.Context;
+import android.os.Bundle;
+import android.util.AttributeSet;
+import android.view.accessibility.AccessibilityNodeInfo;
+import android.widget.Button;
+
+/**
+ * Created by magic on 2017/8/17.
+ */
+
+public class SecButton extends android.support.v7.widget.AppCompatButton {
+    public SecButton(Context context) {
+        super(context);
+    }
+
+    public SecButton(Context context, AttributeSet attrs) {
+        super(context, attrs);
+    }
+
+    public SecButton(Context context, AttributeSet attrs, int defStyleAttr) {
+        super(context, attrs, defStyleAttr);
+    }
+
+//    @Override
+//    public boolean performAccessibilityAction(int action, Bundle arguments) {
+//
+//        //忽略AccessibilityService传过来的点击事件以达到防止模拟点击的目的
+////        if (action == AccessibilityNodeInfo.ACTION_CLICK
+////                || action == AccessibilityNodeInfo.ACTION_LONG_CLICK) {
+////            return true;
+////        }
+////
+////        return super.performAccessibilityAction(action, arguments);
+//        //忽略所有AccessibilityService事件
+//        return true;
+//    }
+}

attack/src/main/res/layout/activity_main.xml

@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="utf-8"?>
+<android.support.constraint.ConstraintLayout
+    xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:app="http://schemas.android.com/apk/res-auto"
+    xmlns:tools="http://schemas.android.com/tools" android:layout_width="match_parent"
+    android:layout_height="match_parent" tools:context="mi.attackactivity.MainActivity"
+    tools:layout_editor_absoluteY="0dp"
+    tools:layout_editor_absoluteX="0dp">
+
+    <TextView
+        android:id="@+id/ref"
+        android:layout_width="wrap_content"
+        android:layout_height="wrap_content"
+        android:layout_marginTop="38dp"
+        android:text="startActivityByReferrer"
+        android:textSize="24sp"
+        app:layout_constraintTop_toTopOf="parent"
+        tools:layout_editor_absoluteX="16dp" />
+
+    <TextView
+        android:id="@+id/ser"
+        android:layout_width="wrap_content"
+        android:layout_height="wrap_content"
+        android:layout_marginTop="40dp"
+        android:text="startActivityByService"
+        android:textSize="24sp"
+        app:layout_constraintTop_toBottomOf="@+id/ref"
+        tools:layout_editor_absoluteX="16dp" />
+
+    <mi.attackactivity.SecButton
+        android:id="@+id/button"
+        android:layout_width="wrap_content"
+        android:layout_height="wrap_content"
+        android:text="Button"
+        tools:layout_editor_absoluteX="16dp"
+        android:layout_marginTop="44dp"
+        app:layout_constraintTop_toBottomOf="@+id/ser" />
+
+</android.support.constraint.ConstraintLayout>

attack/src/main/res/values/colors.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<resources>
+    <color name="colorPrimary">#3F51B5</color>
+    <color name="colorPrimaryDark">#303F9F</color>
+    <color name="colorAccent">#FF4081</color>
+</resources>

attack/src/main/res/values/strings.xml

@@ -0,0 +1,4 @@
+<resources>
+    <string name="app_name">AttackActivity</string>
+    <string name="check_click">check</string>
+</resources>

attack/src/main/res/values/styles.xml

@@ -0,0 +1,11 @@
+<resources>
+
+    <!-- Base application theme. -->
+    <style name="AppTheme" parent="Theme.AppCompat.Light.DarkActionBar">
+        <!-- Customize your theme here. -->
+        <item name="colorPrimary">@color/colorPrimary</item>
+        <item name="colorPrimaryDark">@color/colorPrimaryDark</item>
+        <item name="colorAccent">@color/colorAccent</item>
+    </style>
+
+</resources>

attack/src/main/res/xml/accessibility_service_config.xml

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="utf-8"?>
+<accessibility-service xmlns:android="http://schemas.android.com/apk/res/android"
+    android:description="@string/check_click"
+    android:packageNames="mi.attackactivity"
+    android:accessibilityEventTypes="typeAllMask|typeViewClicked|typeViewFocused|typeNotificationStateChanged|typeWindowStateChanged"
+    android:accessibilityFlags="flagDefault"
+    android:accessibilityFeedbackType="feedbackSpoken"
+    android:notificationTimeout="100"
+    android:canRetrieveWindowContent="true"
+    />