14,020
edits
Changes
Jump to navigation
Jump to search
Line 1:
Line 1: − + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Line 8:
Line 105: − +
→8.9(Le Temps, Watson Actu)
This is a good place for [[User:Haixinshi]] to discuss his progress [[User:Podehaye|Podehaye]] ([[User talk:Podehaye|talk]])
This is a good place for [[User:Haixinshi]] to discuss his progress [[User:Podehaye|Podehaye]] ([[User talk:Podehaye|talk]])
== 7.27([[Item:Q1185|Le Temps]], Watson Actu) ==
== 8.9([[Item:Q1185|Le Temps]], [[Item:Q5452|Watson Actu]]) ==
=== Progress: ===
# Discuss with Chengyang and Andreas about the plan of App Audit project.
# Write a [https://github.com/hestiaAI/hestialabs-bubble-server/issues/18#issuecomment-1209520952 report] to explain the design of whole App Audit system in details and set up plans this week.
''Thanks for app audit report. Could you also please include the diagram you showed us in signal (TheEyeBalls)''
=== Questions: ===
What should the priority of current plans? Building up a coarse "Manager App" or try to explore Criteo? ''1- a coarse "Manager App"''
=== Plans: ===
# Develop a very coarse mobile app that manages data stored by modified apps, which is named ”Manager App”. It can read the data in public folders and send it to a simple http server.
# Work on the app le Monde to understand how criteo intervenes. but it seems complicated because there is no criteo sdk.
# Work on the app muslim pro which has the sdk of criteo.
== 8.8([[Item:Q1185|Le Temps]], [[Item:Q5452|Watson Actu]]) ==
=== Progress: ===
# Find the target functions of smartadserver.
# Talk to MP and confirm that the focus will be on Criteo.
# Summarize the work of app audit and prepare it for cooperation with Chengyang.
=== Questions: ===
No.
=== Plans: ===
# Work on the app le monde to understand how criteo intervenes. but it seems complicated because there is no criteo sdk.
# Work on the app muslim pro which has the sdk of criteo.
== 8.5([[Item:Q1185|Le Temps]], [[Item:Q5452|Watson Actu]]) ==
=== Progress: ===
# Optimize dynamic hooking scripts, now it can hook functions in batch and support filtering. I used Python scripts to retrieve class name(with package names) from path of files in decompile folders. In this case, I can get the class names in batch and hook classes in batch(in specific directories). I believe Frida-Server can support the same competence as the framework I used in ByteDance and my ex-leader told me they also use Frida now :)
# Google Ad still looks difficult. I hooked ALL functions that involves string related to “bid”, “currency” and “rtb”, but they are not called.
# Analyze the Tencent SDK and VK SDK in Watson Actu, which was proposed by MP. The following functions in Tencent SDK are called. But no function in VK SDK is called. I explored Tencent SDK and found that [https://github.com/Kainanchen/Sangokushi/blob/80fdb55c92776690b9b02aa0a6fba3dc7790025e/com/tencent/wxop/stat/StatServiceImpl.java StatServiceImpl] tries to track events.
* com.tencent.wxop.stat.common.StatLogger@7f01327----#setDebugEnable is called, and the parameters are:
false
* StatSpecifyReportedInfo [appKey=null, installChannel=null, version=null, sendImmediately=false, isImportant=false]----#toString is called, and the parameters are:
No Paramters!
* StatSpecifyReportedInfo [appKey=null, installChannel=null, version=null, sendImmediately=false, isImportant=false]----#setAppKey is called, and the parameters are:
A9VH9B8L4GX4
=== Questions: ===
# Should I continue working on Google Ad? Or we should set it as long term goal and we first try more practical tasks.
=== Plans: ===
# Analyze ads in other apps that are not so complicated.
# Continue to work on Tencent SDK and VK SDK.
== 8.4([[Item:Q1185|Le Temps]], [[Item:Q5452|Watson Actu]]) ==
=== Progress: ===
# Find the way to show the price of ads in Le Temps. [https://github.com/appnexus/mobile-sdk-android/blob/10897bb76706e1df00778750a7a214f3b172fde8/sdk/src/com/appnexus/opensdk/AdWebView.java#L266 Here] is a good place to inject prices of ads!
# Share and discuss the effects of showing ads in Hestia-Eyeballs Group.
=== Questions: ===
No
=== Plans: ===
# Optimize Scripts that apply Frida-Server API
# Analyze Google Ads in Watson Actu.
== 8.3([[Item:Q1185|Le Temps]]) ==
=== Progress: ===
# Successfully built up Frida-Server pipeline. Without modifying the source code of app. I can dynamically output all data that flows in interesting functions. Besides, I can get calling relationships(stack trace back) dynamically.
=== Questions: ===
* Question: MP-->''Could please explain more what Frida could do?''
* Answer: [https://frida.re/docs/home/ Here] explains that Frida can easily inject our logics into app's functions, which exposes the information that the functions are called or not(We could inject some logging code into target functions, and when they are called, our logs will show up); besides, we can show the parameters(data). All things I did before(modify SMALI code of apps -> compile the modified code -> build and sign app -> run the app -> watch console and find our logs to see what happens in a target function) CAN BE REPLACE by Frida Server. Because this tool can help us easily inject codes into an app without modifying the app even when the app is running(I submit the injected scripts and then results will be available right away)! To conclude, this tool can help us analyze the SDKs efficiently. But at the end, we still have to modify smali code to get our product after we find the target functions and understand the logits.
=== Plans: ===
# Try to find all class names by code or tool. And the class names can be fed into my scripts and then I can hook all functions in the app at one shot.
# Try to implement the effect of showing the price of advertisement on UI by finding the connection between UI and data processing functions in LeTemps+AppNexus. But it is not promising so far.
== 8.2([[Item:Q1185|Le Temps]]) ==
=== Progress: ===
# Successfully built up [https://github.com/frida/frida Frida-Server] in ROOT environment. It is very exciting, since:
* Previously, when I want to verify that an interesting function is called or not, I have to first modified the corresponding smali code to Log something, then compile, then build the app and analyze logs on adb console, which would cost time;
* Now, I can write JS code directly and hook target functions DYNAMICALLY, which means that I do not need to modify the source code of apps, and I can easily verify the functions being called and the data flowing in them.
# I can see the possibility that we can inject the SO file of Frida into the app and then we do not need to modify smali code. But this is not top priority here, since we already have a workable pipeline.
# I spent a lot of time in finding the connection between UI and data processing functions in LeTemps+AppNexus. But it seems strange for me. From my understanding so far, the data I collected before is NOT used for UI especially the "content" which contains a lot of HTML+JS code.
=== Questions: ===
# It is not very efficient for me to do static analysis(function names are obfuscated and the calling relationships are complex), but now dynamic hooking is very convinient for me; therefore, I can show you more data that flows in the app.
MP-->''Could please explain more what Frida could do?''
=== Plans: ===
# Now I can not dynamically hook A BATCH OF functions at a time. But I will try to fix the bugs and it is practical for me.
# Try to implement the effect of showing the price of advertisement on UI by finding the connection between UI and data processing functions in LeTemps+AppNexus. But it is not promising so far.
== 7.29([[Item:Q1185|Le Temps]], [[Item:Q5452|Watson Actu]]) ==
=== Progress: ===
# [https://github.com/appnexus/mobile-sdk-android/blob/bb9d8d29a47ce642a01cbab8faeaeb9a30210a6e/sdk/src/com/appnexus/opensdk/AdViewRequestManager.java#L333 AdViewRequestManager]. This class is pivot of Banner Advertisement for LeTemps+AppNexus.
# Try to show the price of advertisement on UI. Now I can dynamically analyze the calling relationshis for Banner Advertisement in LeTemps+AppNexus. They are more complex than my expectation, since they are not directly called one by one but apply event-driven mechanism, which means that there are listeners for the events. Besides, the codes are obfuscated.
# Try to use Android Studio, but it did not work.
=== Questions: ===
No.
=== Plans: ===
# Try to implement the effect of showing the price of advertisement on UI.
== 7.28([[Item:Q1185|Le Temps]], [[Item:Q5452|Watson Actu]]) ==
=== Progress: ===
# Save data in shared place outside SD card and deal with permission problems.
# Talk with MP about the pain spot of my work; Talk with Jacob, although we know later that we cannot start working on Uber currently.)
# Root one of the phones and read documents about frida.
=== Questions: ===
I am afraid of legal-related problems when it comes to APK's decompiling and modifying. What kind of behaviors are acceptable according to local laws?
=== Plans: ===
# !First priority!: Build up the Frida environment and learn to write js codes to dynamically hook functions, which can facilitate the process of finding CALLED interesting functions.
# Write static analysis about SDK connections in Le Temps.
# Dynamically test COMSCORE SDK, VKontakte SDK and Tencent SDK in Watson Actu, analyze location data of Huawai.
== 7.27([[Item:Q1185|Le Temps]], [[Item:Q5452|Watson Actu]]) ==
=== Progress: ===
=== Progress: ===
# MP suggested me to have a look at: VKontakte SDK and Tencent SDK in Watson Actu:
# MP suggested me to have a look at: VKontakte SDK and Tencent SDK in Watson Actu:
: ''check also for Huawai, in particular for location data''
* smali_classes2/com/vk/api/sdk/okhttp/OkHttpExecutor.smali and the function is '''ReadResponse'''. Unfortunately this function was not called during my experiments. I also tried other functions related to server response in VKontakte SDK. But they are not called.
* smali_classes2/com/vk/api/sdk/okhttp/OkHttpExecutor.smali and the function is '''ReadResponse'''. Unfortunately this function was not called during my experiments. I also tried other functions related to server response in VKontakte SDK. But they are not called.
* I found that COMSCORE SDK was called very frequently in Watson Actu.
* I found that COMSCORE SDK was called very frequently in Watson Actu.
# I finished saving detailed logs about LeTemps+AppNexus, which contains a lot of interesting information.
# I finished saving detailed logs about LeTemps+AppNexus, which contains a lot of interesting information.
=== Questions: ===I
=== Questions: ===
# Always finding functions by purely viewing logging is in very low efficiency. I will try to use more advanced tools, like Android Studio, so as to dynamically debug the modified APK if applicable, which may efficiently help me seize what kind of functions are actually called. Would I have any technical supports related to this?
# Always finding functions by purely viewing logging is in very low efficiency. I will try to use more advanced tools, like Android Studio, so as to dynamically debug the modified APK if applicable, which may efficiently help me seize what kind of functions are actually called. Would I have any technical supports related to this?
# During working, I spent a lot of time in testing that whether interesting functions are called or not while focusing on some interesting strings like "bidding", and "price". It can lead to low productivity and boredom.
# During working, I spent a lot of time in testing that whether interesting functions are called or not while focusing on some interesting strings like "bidding", and "price". It can lead to low productivity and boredom.