如何在自定义数据目录上执行APK?
我想知道平行空间应用可以复制和执行其他应用,而无需复制其APK或像Playstore上的其他应用一样以修改后的程序包名称运行它们(例如:"com.whatever.name-of-duplicated-app" ).
I was wondering how Parallel Space app can duplicate and execute other apps without copying their APKs or running them under modified package names like other apps on Playstore do (e.g.: "com.whatever.name-of-duplicated-app").
研究了他们的 AndroidManifest.xml ,在/data/data/上创建的文件夹以及设备上的日志之后,我唯一能得出的结论就是 Parallel Space 能够执行其他APK的代码,但会将这些应用程序的数据目录映射到其自己的数据目录中.
After investigating their AndroidManifest.xml, the folders created on /data/data/, and the logs on the device, the only conclusion I could get is that somehow Parallel Space is capable of executing the code from other APKs but it maps the data directories of those apps into its own Data Directory.
证据:
- 创建目录的方式如下:/data/data/com.lbe.parallel.intl/parallel_intl/0/whatever-package-name-you-cloned
- 每个重复执行的应用都从其 Proxy 活动之一的新任务开始,然后以某种方式替换重复的应用以代替新创建的过程.
- Directories are created like this: /data/data/com.lbe.parallel.intl/parallel_intl/0/whatever-package-name-you-cloned
- Every duplicated app execution begins with a new task of one of their Proxy activities and then somehow the duplicated app takes place of the newly created process.
最初,我认为 DexClassLoader / PathClassLoader API,但是我无法继续进行调查.我还看到了一些这样的问题,一个,但是没有似乎是这样.
Initially, I thought it was something with DexClassLoader/PathClassLoader APIs, but I couldn't progress any further with that investigation. I also saw some questions like this one, but it doesn't seem to be the case.
我正在分析小米Redmi Note 3,它允许whatsapp的多实例应用程序.它的操作非常简单,它在框架内创建了另一个用户配置文件以区分两者.
I was analysing the Xiaomi Redmi Note 3 which allows multi-instance apps for whatsapp. What it does is pretty straightforward, it creates another user profile from within the framework to differentiate the two.
u0_a171 1832 631 1094576 91608 SyS_epoll_ 0000000000 S com.whatsapp
u999_a171 8571 631 1037396 65024 SyS_epoll_ 0000000000 S com.whatsapp
平行空间正在做更有趣的事情.在进入细节之前,让我们分析 ps
Parallel space was doing something even more interesting. Before getting into the details, lets analyse the output from ps
u0_a45 2915 249 1120668 61264 SyS_epoll_ b6ca7010 S com.lbe.parallel.intl
u0_a45 6876 249 1081464 40588 SyS_epoll_ b6ca7010 S com.google.android.gms.persistent
u0_a45 6945 249 995016 19828 SyS_epoll_ b6ca7010 S com.google.process.gapps
u0_a45 11296 1 1220488 22760 futex_wait b6c7a8b0 S com.google.android.gms
u0_a45 12303 249 1064788 59680 SyS_epoll_ b6ca7010 S com.freecharge.android
u0_a100 12786 249 699476 45096 jbd2_log_w b6ca6fe8 D com.freecharge.android
在这里,我已经使用Parallel Space为 FreeCharge 创建了另一个帐户.因此,基本上,如果我们观察最后两个进程,则其中一个驻留在并行空间进程ID中,而另一个应用程序则驻留在其自己的进程ID中.
Here, I have used Parallel Space to create another account for FreeCharge. So basically if we observe the last two processes, one of them is hosted in the parallel space process ID while the other app is in its own process ID.
使用apktool和dex2jar反向工程并行空间的结果如下.
Reverse engineering Parallel Space using apktool and dex2jar the findings were as follows.
Parallel Space声明了100个代理活动,100个代理服务和100个代理提供者.这些用于托管要克隆的应用程序.因此,克隆的应用程序将与并行空间位于同一进程空间内.它还具有来自ActivityManager,ServiceManager,AccountManager,LocationManager等的Android框架存根.基本上,在编译应用程序时,它会创建这些类,这些类与Android设备随附的framework.jar中的类相同.使用此代理存根和 Java反射,它可以在自己的进程空间中创建和托管应用程序.为此,它仅拦截活动管理器"调用并封送新信息,然后将其转发给框架.
Parallel Space declares 100 Proxy Activities, 100 Proxy Services and 100 Proxy Providers. These are used to host the application which is to be cloned. Hence the cloned app will be within the same process space as Parallel Space. Also it had Android framework stubs from ActivityManager, ServiceManager, AccountManager, LocationManager and many more. Basically when the app is compiled, it creates these classes which are the same as those in framework.jar that comes shipped in with Android devices. Using this Proxy stub and Java reflection, it creates and hosts the app in its own process space. For this it simply intercepts the Activity Manager calls and marshals new information which is then forwarded to the framework.
它还会创建一个新的目录结构,用于在/data/data/文件夹中存储应用程序信息,以托管克隆的应用程序数据.
It also creates a new directory structure for storing app information within its /data/data/ folder to host the cloned application data.
细节是巨大的,Parallel Space开发人员已经使用了AOSP源代码中的丰富知识来利用这种行为,并且还利用了Reflection和Proxies如何使用Java类.
The details are immense, the Parallel Space developer have used extensive knowledge from AOSP source code to leverage the behaviour and also leveraged how Java classes are used by using Reflection and Proxies.
更新:
只需在GitHub上找到Parallel space的开源版本.这完全基于相同的原理.链接在下面.
Just found the open source version of Parallel space on GitHub. This works exactly on the same principles. Link below.