radito/SecurityRiskAndroid
GitHub: radito/SecurityRiskAndroid
Android JNI 原生运行时风险检测器,通过分层多维度检测机制识别 root、hook 框架、内存篡改等数十类设备运行时威胁信号。
Stars: 1 | Forks: 0
# SecurityRiskAndroid
getParsedResults();
boolean isCompromised();
```
## 用法
在 `MainActivity.java` 中:
```
checker = new SecurityChecker();
checker.setThreatCallback(reason -> {
mainHandler.post(() -> updateBgStatus("⚠ BG THREAD: " + reason));
});
Map results = checker.getParsedResults();
String nativeLog = checker.getNativeLog();
```
App UI 显示:
```
Security check result rows
Compromised / clean summary
Background threat status
Full native log buffer
```
## 结果字段
常见结果字段:
```
SCORE
VERDICT
DEEP_SCAN
DEEP_AGE_MS
ROOT_PATHS
ROOT_MOUNTS
MAPS_ARTIFACTS
MAPS_FILTERED
SUSPICIOUS_MAPS
DEBUGGER
THREADS
FDS
LINKER_INLINE
USB_DEBUGGING
BOOTLOADER_UNLOCKED
BUILD_PROPS
KERNEL_IDENTITY
JNI_TABLE
JVM_TABLE
MODULES
SELF_BREAKPOINTS
ART_BRIDGE_CLASSES
ART_STACK
ART_CLASSLOADER
ART_DEX_MAPS
PACKAGE_RISK
PACKAGE_INCONSISTENCY
LOCATION_ENVIRONMENT
FRAMEWORK_RUNTIME
DISK_PUBLIC_ARTIFACTS
DISK_ROOT_ARTIFACTS
DISK_ZIP_MODULES
DISK_APK_RISK
SUSPICIOUS_PROCESS
SUSPICIOUS_PORTS
ROOT_ASSISTED_ASYNC
ROOT_ASSISTED_ROOT_VIEW
ROOT_ASSISTED_MODULES
ROOT_ASSISTED_PROCESS
ROOT_ASSISTED_PORTS
ROOT_VIEW_DELTA
EMULATOR
MEMORY_LIVE
MEMORY_DISK
```
可能的状态值包括:
```
CLEAN
DETECTED
HOOKED
TAMPERED
MISMATCH
PENDING
CACHED
RUNNING_CACHED
GRANTED
DENIED
TIMEOUT
UNAVAILABLE
NOT_RUN
SKIPPED
ERROR
```
## 输出示例
深度扫描仍在运行时的初始快速结果:
```
SCORE:1|VERDICT:CLEAN|DEEP_SCAN:PENDING|ROOT_PATHS:CLEAN|ROOT_MOUNTS:CLEAN|MAPS_ARTIFACTS:CLEAN|SUSPICIOUS_MAPS:CLEAN|DEBUGGER:CLEAN|USB_DEBUGGING:DETECTED|JNI_TABLE:CLEAN|JVM_TABLE:CLEAN|ART_CLASSLOADER:PENDING|PACKAGE_RISK:PENDING|LOCATION_ENVIRONMENT:PENDING|DISK_ROOT_ARTIFACTS:PENDING|SUSPICIOUS_PROCESS:PENDING|SUSPICIOUS_PORTS:PENDING|ROOT_ASSISTED_ASYNC:PENDING|MEMORY_DISK:PENDING|
```
后续缓存的深度结果:
```
SCORE:14|VERDICT:BLOCK|DEEP_SCAN:CACHED|DEEP_AGE_MS:1420|ROOT_PATHS:CLEAN|ROOT_MOUNTS:CLEAN|MAPS_ARTIFACTS:CLEAN|MAPS_FILTERED:CLEAN|SUSPICIOUS_MAPS:CLEAN|DEBUGGER:CLEAN|JNI_TABLE:CLEAN|JVM_TABLE:CLEAN|ART_BRIDGE_CLASSES:CLEAN|ART_STACK:CLEAN|ART_CLASSLOADER:DETECTED|ART_DEX_MAPS:DETECTED|PACKAGE_RISK:DETECTED|PACKAGE_INCONSISTENCY:DETECTED|LOCATION_ENVIRONMENT:CLEAN|DISK_ROOT_ARTIFACTS:DETECTED|SUSPICIOUS_PROCESS:DETECTED|SUSPICIOUS_PORTS:CLEAN|ROOT_ASSISTED_ASYNC:GRANTED|ROOT_ASSISTED_MODULES:DETECTED|ROOT_VIEW_DELTA:DETECTED|MEMORY_LIVE:CLEAN|MEMORY_DISK:CLEAN|
```
Native 日志输出:
```
1718520000000 [I] pid=12345 tid=12345 Security JNI loaded: VERBOSE=1 log_buffer=262144 bytes
1718520000012 [I] pid=12345 tid=12345 runAllChecks fast path begin
1718520000028 [I] pid=12345 tid=12345 deep scan worker started
1718520000030 [I] pid=12345 tid=12345 [manual] SCORE=1 VERDICT=CLEAN DEEP_SCAN=PENDING
1718520001460 [I] pid=12345 tid=12346 ART ClassLoader chain: depth=0 class=dalvik.system.PathClassLoader
1718520001580 [I] pid=12345 tid=12346 Suspicious listening port signal: port=27042 risk=strong
1718520001600 [I] pid=12345 tid=12346 Root-assisted su granted: output_bytes=32768
1718520001610 [I] pid=12345 tid=12346 Root-assisted module/root artifact signal visible
1718520001620 [I] pid=12345 tid=12346 deep scan worker completed: score=14 verdict=BLOCK
```
## Runtime 开销
预期的 runtime 取决于设备速度、已加载库的数量、已安装 package 的数量、框架映射的数量、文件描述符的数量、公共存储大小、process 可见性、port/socket 可见性,以及 hooking/hiding 框架是否正在过滤 API 结果。root 辅助扫描也可能等待 superuser 提示、拒绝或超时。
预计耗时:
```
JNI_OnLoad baseline:
1–20 ms
FAST_SYNC runAllChecks():
Target under 100–200 ms on typical devices
May be higher on old or heavily hooked devices
DEEP_ASYNC worker:
Usually hundreds of ms to a few seconds
Can be slower when PackageManager, LocationManager, ART reflection, disk scans, process scans, port scans, or /proc scans are hooked or heavily filtered
ROOT_ASSISTED_ASYNC:
May return quickly if su is unavailable or denied
May take several seconds if a root manager prompt is shown or the request times out
```
推荐的生产环境模式:
```
Startup:
- initialize JNI
- run fast checks only
- return PENDING for heavy fields
After UI is visible:
- allow deep async worker to finish
- update UI, log, or internal risk state
Before sensitive action:
- reuse cached deep result if fresh
- rerun selected deep checks if stale
- treat root-assisted data as diagnostic evidence, especially when APP_VIEW and ROOT_VIEW disagree
Background:
- periodically or randomly run selected checks
- avoid full heavy scans on every frame or click
```
避免在第一个渲染帧上执行繁重的全量扫描。
## 风险评分
检查器采用基于评分的方法,而不是依赖于单一信号。
示例:
```
score >= 8 → BLOCK
score >= 4 → WARNING
score < 4 → CLEAN
```
与立即基于单一可疑痕迹进行拦截相比,这减少了误报。
该项目处理不同权重的信号:
```
Strong signals:
- Memory hash mismatch
- JNI / JavaVM table pointer outside libart
- Frida/Gum thread or fd artifact
- Suspicious foreign executable memfd
- Foreign module dex/apk loaded into app runtime
- Package visibility inconsistency
- Root-assisted module/root artifact visibility
- Root view delta between app process view and root helper view
- Frida/debug/root daemon process or port signal
Medium signals:
- Suspicious maps artifact
- PHDR/maps mismatch
- ART stack or classloader anomaly
- Location/mock environment anomaly
- SSH/dropbear/Termux SSH process or listener
- Magisk-style ZIP module or risky APK artifact
Weak signals:
- USB debugging enabled
- Developer options indicator
- Emulator-like file presence
- Some build property anomalies
- Termux process without sshd/dropbear or other stronger companion signals
```
## 重要安全说明
本项目可用作概念验证以及分层防御策略的一部分。
不应将其视为无法绕过。
高级攻击者仍可能通过以下方式绕过检测:
```
Renaming artifacts
Filtering /proc output
Hooking native functions
Patching JNI return values
Patching the app binary
Running the app inside a controlled environment
Disabling background threads
Modifying the checker logic
Hooking PackageManager / LocationManager / Settings APIs
Returning fake clean values from Java/ART calls
Patching the risk score or verdict generation
Denying, delaying, or faking root-assisted diagnostic output
```
为了获得更强的保护,请将其与以下内容结合使用:
```
Server-side validation
Play Integrity API
Hardware-backed attestation when available
Certificate pinning
Native-side sensitive logic
Obfuscation
Anti-tamper checks
Runtime challenge-response
Short-lived server nonce
Multiple independent detection paths
Delayed or randomized enforcement
```
不要仅依赖 `runAllChecks()` 的 Java 返回值,因为 Java 方法可能会被 hook。同时,也不要将 `SU_DENIED` 视为设备干净的证明;它仅表示未授予 root 辅助诊断路径的权限。
对于强化构建:
```
Set VERBOSE=0
Strip native symbols
Hide symbol visibility
Avoid exposing exact detection reasons
Avoid storing sensitive secrets in JNI
Avoid making one final return string the only enforcement point
Use server-side challenge-response for important decisions
Keep root-assisted checks opt-in or diagnostic in research builds
```
## 免责声明
本项目用于防御性测试、学习和应用强化。
它不是一个完整的反篡改或反 hooking 解决方案。请将其作为更广泛的安全设计中的一层来使用。
标签:AMSI绕过, Android安全, Bash脚本, C/C++, JS文件枚举, UML, URL发现, 事务性I/O, 后台面板检测, 威胁检测, 安全检测, 客户端加密, 目录枚举, 移动安全, 运行环境安全, 逆向分析