cordova-plugin-crosswalk-webview - 记录所有 UI 交互 - 包括敏感数据
cordova-plugin-crosswalk-webview - Logging all UI interaction - including sensitive data
这是一个经过编辑的问题 - 已找到问题的根源,因此添加了我自己的答案。
Logcat 几乎输出了与 UI 的所有交互,包括我们在密码框中输入的内容(单词 "password" 的开头以 ** 突出显示):
D/cr_Ime (10392): [ImeAdapter.java:313] showSoftKeyboard
D/cr_Ime (10392): [InputMethodManagerWrapper.java:47] showSoftInput
D/cr_Ime (10392): [AdapterInputConnection.java:174] updateState [] [0 0] [-1 -1] [true]
D/cr_Ime (10392): [ImeAdapter.java:387] dispatchKeyEvent: action [0], keycode [44]
D/cr_Ime (10392): [AdapterInputConnection.java:393] sendKeyEvent [0] [44] [112]
D/cr_Ime (10392): [AdapterInputConnection.java:239] updateSelectionIfRequired [1 1] [-1 -1]
D/cr_Ime (10392): [InputMethodManagerWrapper.java:74] updateSelection: SEL [1, 1], COM [-1, -1]
D/cr_Ime (10392): [ImeAdapter.java:253] updateKeyboardVisibility: type [2->2], flags [66], show [false],
**D/cr_Ime (10392): [AdapterInputConnection.java:174] updateState [p] [1 1] [-1 -1] [false]
D/cr_Ime (10392): [ImeAdapter.java:387] dispatchKeyEvent: action [1], keycode [44]
D/cr_Ime (10392): [AdapterInputConnection.java:393] sendKeyEvent [1] [44] [112]
D/cr_Ime (10392): [ImeAdapter.java:387] dispatchKeyEvent: action [0], keycode [29]
D/cr_Ime (10392): [AdapterInputConnection.java:393] sendKeyEvent [0] [29] [97]
D/cr_Ime (10392): [AdapterInputConnection.java:239] updateSelectionIfRequired [2 2] [-1 -1]
D/cr_Ime (10392): [InputMethodManagerWrapper.java:74] updateSelection: SEL [2, 2], COM [-1, -1]
D/cr_Ime (10392): [ImeAdapter.java:253] updateKeyboardVisibility: type [2->2], flags [66], show [false],
**D/cr_Ime (10392): [AdapterInputConnection.java:174] updateState [•a] [2 2] [-1 -1] [false]
D/cr_Ime (10392): [ImeAdapter.java:387] dispatchKeyEvent: action [1], keycode [29]
D/cr_Ime (10392): [AdapterInputConnection.java:393] sendKeyEvent [1] [29] [97]
D/cr_Ime (10392): [ImeAdapter.java:387] dispatchKeyEvent: action [0], keycode [47]
D/cr_Ime (10392): [AdapterInputConnection.java:393] sendKeyEvent [0] [47] [115]
D/cr_Ime (10392): [AdapterInputConnection.java:239] updateSelectionIfRequired [3 3] [-1 -1]
D/cr_Ime (10392): [InputMethodManagerWrapper.java:74] updateSelection: SEL [3, 3], COM [-1, -1]
D/cr_Ime (10392): [ImeAdapter.java:253] updateKeyboardVisibility: type [2->2], flags [66], show [false],
**D/cr_Ime (10392): [AdapterInputConnection.java:174] updateState [••s] [3 3] [-1 -1] [false]
在混音中 sendKeyEvent 还输出按键的 ASCII/UTF 代码。这在 Genymotion 模拟设备和实际设备上都会发生 - 两者都使用发布 apk。在发布模式下,这种行为更加明显 - 仅输出上面的 **'d 日志条目,因此很容易看出密码是什么:
**D/cr_Ime (10392): [AdapterInputConnection.java:174] updateState [p] [3 3] [-1 -1] [false]
**D/cr_Ime (10392): [AdapterInputConnection.java:174] updateState [•a] [3 3] [-1 -1] [false]
**D/cr_Ime (10392): [AdapterInputConnection.java:174] updateState [••s] [3 3] [-1 -1] [false]
**D/cr_Ime (10392): [AdapterInputConnection.java:174] updateState [•••s] [3 3] [-1 -1] [false]
**D/cr_Ime (10392): [AdapterInputConnection.java:174] updateState [••••s] [3 3] [-1 -1] [false]
等等...
经过一番挖掘后,日志记录发生在人行横道核心代码和 Chromium 本机代码之间的某处,这似乎不受您在 Cordova 配置等中设置的日志记录级别的影响。解决方案是使用 ProGuard通过指定删除对这些方法的所有调用是安全的,删除对 android 日志记录方法的引用。建议的配置是:
-keep class ** { *; }
#Remove the logging classes - do not remove e, this has security implications...
-assumenosideeffects class android.util.Log {
public static *** d(...);
public static *** w(...);
public static *** v(...);
public static *** i(...);
}
-keep class ** { *; } 或多或少保留所有 类 - YMMV,您可能需要更积极的清理以降低 APK 大小。
重要提示
在线帮助建议使用默认的 proguard-android.txt 配置以及您的自定义配置。在大多数情况下,这是一个很好的建议,但不幸的是,对于这个用例,它 包含标志 -dontoptimize,它禁用了我们需要删除日志记录的 -assumenosideeffects 子句。 这是出乎意料并造成了很多困难 - 我是新手,无法弄清楚我在自定义配置中“出错”的地方,而我正在测试的配置默认情况下是禁用的。
为了解决这个问题,我从构建中删除了对默认 Proguard 配置的引用。gradle:
android {
buildTypes {
release {
minifyEnabled = true
// Original line with our custom proguard-android.pro for reference:
// proguardFile getDefaultProguardFile('proguard-android.txt'), 'proguard-android.pro'
proguardFiles 'proguard-android.pro'
}
}
}
接下来,我复制了默认 Proguard 文件的内容并粘贴到自定义文件的开头,删除了有问题的 -dontoptimize 标志。
这是一个经过编辑的问题 - 已找到问题的根源,因此添加了我自己的答案。 Logcat 几乎输出了与 UI 的所有交互,包括我们在密码框中输入的内容(单词 "password" 的开头以 ** 突出显示):
D/cr_Ime (10392): [ImeAdapter.java:313] showSoftKeyboard
D/cr_Ime (10392): [InputMethodManagerWrapper.java:47] showSoftInput
D/cr_Ime (10392): [AdapterInputConnection.java:174] updateState [] [0 0] [-1 -1] [true]
D/cr_Ime (10392): [ImeAdapter.java:387] dispatchKeyEvent: action [0], keycode [44]
D/cr_Ime (10392): [AdapterInputConnection.java:393] sendKeyEvent [0] [44] [112]
D/cr_Ime (10392): [AdapterInputConnection.java:239] updateSelectionIfRequired [1 1] [-1 -1]
D/cr_Ime (10392): [InputMethodManagerWrapper.java:74] updateSelection: SEL [1, 1], COM [-1, -1]
D/cr_Ime (10392): [ImeAdapter.java:253] updateKeyboardVisibility: type [2->2], flags [66], show [false],
**D/cr_Ime (10392): [AdapterInputConnection.java:174] updateState [p] [1 1] [-1 -1] [false]
D/cr_Ime (10392): [ImeAdapter.java:387] dispatchKeyEvent: action [1], keycode [44]
D/cr_Ime (10392): [AdapterInputConnection.java:393] sendKeyEvent [1] [44] [112]
D/cr_Ime (10392): [ImeAdapter.java:387] dispatchKeyEvent: action [0], keycode [29]
D/cr_Ime (10392): [AdapterInputConnection.java:393] sendKeyEvent [0] [29] [97]
D/cr_Ime (10392): [AdapterInputConnection.java:239] updateSelectionIfRequired [2 2] [-1 -1]
D/cr_Ime (10392): [InputMethodManagerWrapper.java:74] updateSelection: SEL [2, 2], COM [-1, -1]
D/cr_Ime (10392): [ImeAdapter.java:253] updateKeyboardVisibility: type [2->2], flags [66], show [false],
**D/cr_Ime (10392): [AdapterInputConnection.java:174] updateState [•a] [2 2] [-1 -1] [false]
D/cr_Ime (10392): [ImeAdapter.java:387] dispatchKeyEvent: action [1], keycode [29]
D/cr_Ime (10392): [AdapterInputConnection.java:393] sendKeyEvent [1] [29] [97]
D/cr_Ime (10392): [ImeAdapter.java:387] dispatchKeyEvent: action [0], keycode [47]
D/cr_Ime (10392): [AdapterInputConnection.java:393] sendKeyEvent [0] [47] [115]
D/cr_Ime (10392): [AdapterInputConnection.java:239] updateSelectionIfRequired [3 3] [-1 -1]
D/cr_Ime (10392): [InputMethodManagerWrapper.java:74] updateSelection: SEL [3, 3], COM [-1, -1]
D/cr_Ime (10392): [ImeAdapter.java:253] updateKeyboardVisibility: type [2->2], flags [66], show [false],
**D/cr_Ime (10392): [AdapterInputConnection.java:174] updateState [••s] [3 3] [-1 -1] [false]
在混音中 sendKeyEvent 还输出按键的 ASCII/UTF 代码。这在 Genymotion 模拟设备和实际设备上都会发生 - 两者都使用发布 apk。在发布模式下,这种行为更加明显 - 仅输出上面的 **'d 日志条目,因此很容易看出密码是什么:
**D/cr_Ime (10392): [AdapterInputConnection.java:174] updateState [p] [3 3] [-1 -1] [false]
**D/cr_Ime (10392): [AdapterInputConnection.java:174] updateState [•a] [3 3] [-1 -1] [false]
**D/cr_Ime (10392): [AdapterInputConnection.java:174] updateState [••s] [3 3] [-1 -1] [false]
**D/cr_Ime (10392): [AdapterInputConnection.java:174] updateState [•••s] [3 3] [-1 -1] [false]
**D/cr_Ime (10392): [AdapterInputConnection.java:174] updateState [••••s] [3 3] [-1 -1] [false]
等等...
经过一番挖掘后,日志记录发生在人行横道核心代码和 Chromium 本机代码之间的某处,这似乎不受您在 Cordova 配置等中设置的日志记录级别的影响。解决方案是使用 ProGuard通过指定删除对这些方法的所有调用是安全的,删除对 android 日志记录方法的引用。建议的配置是:
-keep class ** { *; }
#Remove the logging classes - do not remove e, this has security implications...
-assumenosideeffects class android.util.Log {
public static *** d(...);
public static *** w(...);
public static *** v(...);
public static *** i(...);
}
-keep class ** { *; } 或多或少保留所有 类 - YMMV,您可能需要更积极的清理以降低 APK 大小。
重要提示
在线帮助建议使用默认的 proguard-android.txt 配置以及您的自定义配置。在大多数情况下,这是一个很好的建议,但不幸的是,对于这个用例,它 包含标志 -dontoptimize,它禁用了我们需要删除日志记录的 -assumenosideeffects 子句。 这是出乎意料并造成了很多困难 - 我是新手,无法弄清楚我在自定义配置中“出错”的地方,而我正在测试的配置默认情况下是禁用的。
为了解决这个问题,我从构建中删除了对默认 Proguard 配置的引用。gradle:
android {
buildTypes {
release {
minifyEnabled = true
// Original line with our custom proguard-android.pro for reference:
// proguardFile getDefaultProguardFile('proguard-android.txt'), 'proguard-android.pro'
proguardFiles 'proguard-android.pro'
}
}
}
接下来,我复制了默认 Proguard 文件的内容并粘贴到自定义文件的开头,删除了有问题的 -dontoptimize 标志。