cordova-plugin-crosswalk-webview - 记录所有UI交互 - 包括敏感数据

时间:2016-12-02 13:57:35

标签: cordova cordova-plugins crosswalk

这是一个经过编辑的问题 - 已经找到问题的根源,所以添加了我自己的答案。 Logcat几乎输出了与UI的每次互动,包括我们输入的密码框(用**突出显示的“密码”一词的开头):

D/cr_Ime  (10392): [ImeAdapter.java:313] showSoftKeyboard
D/cr_Ime  (10392): [InputMethodManagerWrapper.java:47] showSoftInput
D/cr_Ime  (10392): [AdapterInputConnection.java:174] updateState [] [0 0] [-1 -1] [true]
D/cr_Ime  (10392): [ImeAdapter.java:387] dispatchKeyEvent: action [0], keycode [44]
D/cr_Ime  (10392): [AdapterInputConnection.java:393] sendKeyEvent [0] [44] [112]
D/cr_Ime  (10392): [AdapterInputConnection.java:239] updateSelectionIfRequired [1 1] [-1 -1]
D/cr_Ime  (10392): [InputMethodManagerWrapper.java:74] updateSelection: SEL [1, 1], COM [-1, -1]
D/cr_Ime  (10392): [ImeAdapter.java:253] updateKeyboardVisibility: type [2->2], flags [66], show [false], 
**D/cr_Ime  (10392): [AdapterInputConnection.java:174] updateState [p] [1 1] [-1 -1] [false]
D/cr_Ime  (10392): [ImeAdapter.java:387] dispatchKeyEvent: action [1], keycode [44]
D/cr_Ime  (10392): [AdapterInputConnection.java:393] sendKeyEvent [1] [44] [112]
D/cr_Ime  (10392): [ImeAdapter.java:387] dispatchKeyEvent: action [0], keycode [29]
D/cr_Ime  (10392): [AdapterInputConnection.java:393] sendKeyEvent [0] [29] [97]
D/cr_Ime  (10392): [AdapterInputConnection.java:239] updateSelectionIfRequired [2 2] [-1 -1]
D/cr_Ime  (10392): [InputMethodManagerWrapper.java:74] updateSelection: SEL [2, 2], COM [-1, -1]
D/cr_Ime  (10392): [ImeAdapter.java:253] updateKeyboardVisibility: type [2->2], flags [66], show [false], 
**D/cr_Ime  (10392): [AdapterInputConnection.java:174] updateState [•a] [2 2] [-1 -1] [false]
D/cr_Ime  (10392): [ImeAdapter.java:387] dispatchKeyEvent: action [1], keycode [29]
D/cr_Ime  (10392): [AdapterInputConnection.java:393] sendKeyEvent [1] [29] [97]
D/cr_Ime  (10392): [ImeAdapter.java:387] dispatchKeyEvent: action [0], keycode [47]
D/cr_Ime  (10392): [AdapterInputConnection.java:393] sendKeyEvent [0] [47] [115]
D/cr_Ime  (10392): [AdapterInputConnection.java:239] updateSelectionIfRequired [3 3] [-1 -1]
D/cr_Ime  (10392): [InputMethodManagerWrapper.java:74] updateSelection: SEL [3, 3], COM [-1, -1]
D/cr_Ime  (10392): [ImeAdapter.java:253] updateKeyboardVisibility: type [2->2], flags [66], show [false], 
**D/cr_Ime  (10392): [AdapterInputConnection.java:174] updateState [••s] [3 3] [-1 -1] [false]

在混合sendKeyEvent中还输出了按键的ASCII / UTF代码。这是在Genymotion模拟设备和实际设备上发生的 - 都使用发布apk。在发布模式下,这种行为更加明显 - 只输出上面的**日志条目,这样可以很容易地看到密码是什么:

**D/cr_Ime  (10392): [AdapterInputConnection.java:174] updateState [p] [3 3] [-1 -1] [false]
**D/cr_Ime  (10392): [AdapterInputConnection.java:174] updateState [•a] [3 3] [-1 -1] [false]
**D/cr_Ime  (10392): [AdapterInputConnection.java:174] updateState [••s] [3 3] [-1 -1] [false]
**D/cr_Ime  (10392): [AdapterInputConnection.java:174] updateState [•••s] [3 3] [-1 -1] [false]
**D/cr_Ime  (10392): [AdapterInputConnection.java:174] updateState [••••s] [3 3] [-1 -1] [false]

等等...

1 个答案:

答案 0 :(得分:0)

经过一段时间的挖掘后,测井发生在人行横道核心与地铁之间的某处。 chrome本机代码,它似乎不受您在Cordova配置中设置的日志记录级别的影响。解决方案是使用ProGuard删除对android日志记录方法的引用,方法是指定删除对这些方法的所有调用是安全的。建议的配置是:

 -keep class ** { *; }
 #Remove the logging classes - do not remove e, this has security implications...
 -assumenosideeffects class android.util.Log {
     public static *** d(...); 
     public static *** w(...); 
     public static *** v(...); 
     public static *** i(...); 
} 

-keep class ** { *; }或多或少保留所有课程 - YMMV,您可能需要更积极的清理来降低您的APK大小。

重要提示

在线帮助建议在自定义配置旁边使用默认的proguard-android.txt配置。在大多数情况下,这是一个很好的建议但不幸的是,对于这个用例,包含标记-dontoptimize,它禁用了我们需要删除日志记录的-assumenosideeffects子句。这是意外的并且导致了很多困难 - 我对这些东西不熟悉并且无法弄清楚我是什么"出错了"在我们的自定义配置中,而我正在测试的配置默认是禁用的。

为了解决这个问题,我从build .gradle中删除了对默认Proguard配置的引用:

android {
    buildTypes {
        release {        
            minifyEnabled = true
            // Original line with our custom proguard-android.pro for reference:
            // proguardFile getDefaultProguardFile('proguard-android.txt'), 'proguard-android.pro'
            proguardFiles 'proguard-android.pro'
        }
    }
}

接下来,我复制了默认Proguard文件的内容并粘贴到我们自定义文件的开头,删除了有问题的-dontoptimize标志。