背景:
最近这几天在研究facebook的协议,但是facebook的采用 SSL Pinning 技术,正常通过fiddler是不能解开SSL观察协议。
听说facebook app在 manifest里面使用了android新的配置,<application android:networkSecurityConfig="@xml/network_security_config">
因此,特别想看看facebook apk的manifest,有没有这个新配置。
但是用apktool来分析facebook apk又报错,于是自己撸一个小工具吧。
官方针对 networkSecurityConfig 配置说明
简要说明,androidmanifest.xml二进制数据结构:
关于androidmanifest的定义基本在/frameworks/base/libs/androidfw/include/androidfw/ResourceTypes.h 这个文件里
仔细看看这个文件发现androidmanifest文件结构很简单,不复杂。
androidmanifest.xml 头定义如下,共8个字节,后面就是独立的不同类型的chunk组成
/**
* Header that appears at the front of every data chunk in a resource.
*/
struct ResChunk_header
{
// Type identifier for this chunk. The meaning of this value depends
// on the containing chunk.
uint16_t type;
// Size of the chunk header (in bytes). Adding this value to
// the address of the chunk allows you to find its associated data
// (if any).
uint16_t headerSize;
// Total size of this chunk (in bytes). This is the chunkSize plus
// the size of any data associated with the chunk. Adding this value
// to the chunk allows you to completely skip its contents (including
// any child chunks). If this value is the same as chunkSize, there is
// no data associated with the chunk.
uint32_t size;
};
如 ResStringPool_header:
/** ********************************************************************
* String Pool
*
* A set of strings that can be references by others through a
* ResStringPool_ref.
*
*********************************************************************** */
/**
* Definition for a pool of strings. The data of this chunk is an
* array of uint32_t providing indices into the pool, relative to
* stringsStart. At stringsStart are all of the UTF-16 strings
* concatenated together; each starts with a uint16_t of the string's
* length and each ends with a 0x0000 terminator. If a string is >
* 32767 characters, the high bit of the length is set meaning to take
* those 15 bits as a high word and it will be followed by another
* uint16_t containing the low word.
*
* If styleCount is not zero, then immediately following the array of
* uint32_t indices into the string table is another array of indices
* into a style table starting at stylesStart. Each entry in the
* style table is an array of ResStringPool_span structures.
*/
struct ResStringPool_header
{
struct ResChunk_header header;
// Number of strings in this pool (number of uint32_t indices that follow
// in the data).
uint32_t stringCount;
// Number of style span arrays in the pool (number of uint32_t indices
// follow the string indices).
uint32_t styleCount;
// Flags.
enum {
// If set, the string index is sorted by the string values (based
// on strcmp16()).
SORTED_FLAG = 1<<0,
// String pool is encoded in UTF-8
UTF8_FLAG = 1<<8
};
uint32_t flags;
// Index from header of the string data.
uint32_t stringsStart;
// Index from header of the style data.
uint32_t stylesStart;
};
知道了定义,就可以很方便写一个工具来解开二进制的androidmanifest.xml,转成纯文本的androidmanifest.xml
果然在facebook里面发现了最新的安全配置 android:networkSecurityConfig。
它表示facebook是采用自己的根证书,防止中间人攻击。
因此fiddler是不能解开facebook的ssl协议,只能是patch so文件来达到这个目的了。
我的小工具:
使用的方法很简单,md 二进制androidmanifest.xml文件路径,即可以解开。