今天刚好有点时间就先简单写一下，前段时间分析了一下某国内风控厂生成设备id时采集的信息，也是第一次接触风控这方面的东西，抱着学习的心态分析了一下。
某风控厂：我贼tm牛逼，你手机刷机了我都能识别出旧id，一年就要百来万，便宜
首先这个sdk包含java和native so两个模块，app启动的时候将采集信息上报，服务器返回个设备id，没有合法的id有些app直接拒绝注册。。。Java层的sdk采集的信息最多，差不多有百来条，然后传递给so层，so层再采集一波，然后rsa非对称加密，返回给java。我先把采集的信息列出来，不一定全，包括我做的时候记录的数据可能丢失，还有测试地可能完整。。。
Java层采集的信息：
1.wlan0，网卡地址，网卡ip，网卡名称
2.启动次数
3.下载的渠道
4.平台安卓还是苹果
5.自己sdk版本
6.cpu数量，cpu_model_name，cpu_max_MHz
7.屏幕亮度
8.app版本
9.网络类别，WiFi还是什么
10.mediadrm_uuid， 用什么库的id然后生成的id
11.一些统计的耗用的时间
12.ro.xxxx系类，具体如下：
"ro.kernel.qemu": "",
"ro.debuggable": "",
"ro.secure": "",
"ro.build.version.release": "",
"ro.build.version.sdk": "",
"ro.build.display.id": "",
"ro.product.model": "",
"ro.product.board": "",
"ro.product.brand": "",
"ro.product.name": "",
"ro.product.manufacturer": "",
"ro.boot.baseband": "",
"ro.boot.bootloader": "",
"ro.serialno": "",
"ro.build.fingerprint"
13.app内部id
14.pid

1. //android.bluetooth.IBluetooth$Stub$Proxy

   1	//android.bluetooth.BluetoothAdapter

   16.是否有XposedBridge.jar
   17.
   //ro.debuggable
   //ro.boot.serialno
   //gsm.network.type
   //gsm.sim.state
   //persist.sys.country
   //persist.sys.language
   //sys.usb.state
   //ro.serialno
   //android.os.SystemProperties
   18.各种方式获取DeviceId，但是被安卓系统无情拒绝
   //getSystemService
   //phone
   //getDeviceId
   19.掉了这个函数getSubscriberId，忘了干啥的
   20.Build.getRadioVersion()
   21.app_name，app_packet_name
   22.dpi
2. //getSimOperator
   //getNetworkOperatorName
   24.sensor
   25.total_mem
   26.getSimSerialNumber
   27.
   // (InputMethodManager) context.getSystemService("input_method"))
   // (inputMethodList = inputMethodManager.getInputMethodList())
   28.external_storage_dir_available_bytes，external_storage_dir_free_bytes，external_storage_dir_total_bytes
   29.android.intent.action.BATTERY_CHANGED，电池temperature，voltage，level，scale，status
3. //Settings.Secure.getInt(context.getContentResolver(), "mock_location", 0)
   31.locateServiceName:android.os.BinderProxy|phoneServiceName:android.os.BinderProxy
   //getService

   1 2 3

   //android.os.ServiceManager //location //phone

   32.服务器给的状态，没有细致分析，一共6个
   33.两种定位信息，拒绝就完事
   34.风险文件，风险apk，这个后面说
   35.certificate_info，certificate_hash
   36.ps后进程名称文件存在的个数是否大于1，ps后进程名称文件存在的个数
   37.用户名称
   38.ps后的进程名称文件存在名称
   39.files_path，app自己文件路径
   40.//辅助功能

   1 2 3 4 5 6 7

   //android.content.Context //getSystemService //accessibility //isEnabled //getEnabledAccessibilityServiceList //getId //getResolveInfo

   41.ip缓存？？
   42.fc_times
   43.之前产生的网络错误
   44.Debug.isDebuggerConnected()
   45.ApplicationInfo.CATEGORY_VIDEO
   46.Proxy
   47.错误堆栈
   48.Sid
   49.//0 android.permission.READ_PHONE_STATE

   1 2 3 4 5 6

   //1 android.permission.WRITE_EXTERNAL_STORAGE //2 android.permission.WRITE_SETTINGS //3 android.permission.ACCESS_WIFI_STATE //4 android.permission.ACCESS_NETWORK_STATE //5 android.permission.ACCESS_FINE_LOCATION //6 android.permission.ACCESS_COARSE_LOCATION

   50.检测一些java函数flag，是否被native化，具体的没有记录
   Native采集的信息（重复的不再列出）：
   1.libc.so hook检测，常用的函数
   2.data/system md5
   3./vendor/firmware md5
   4./system/bin md5
   5./vendor/lib md5
   6./system/framework md5
   7./system/fonts md5
   8./proc/net/arp
   9.Wlan
   10.ro系列
   11./system/bin/su
   12.Xposed
   13.Cpu
   14.100多个java函数，后面说
   15./proc/sys/kernel/random/boot_id
   16./proc/sys/kernel/random/uuid
   17.tun
   以上是大致的检测参数，下面列出风险app检测的：
   "de.robv.android.xposed.installer","com.soft.controllers","com,.soft.apk008v","com.soft.apk008Tool","com.doubee.ig","com.cyjh.mobileanjian","com.ruokuai.rktech", "c,om.topjohnwu.magisk","com.kingroot.kinguser", "com.saurik.substrate", "com.touchsprite.android","com.stardust.scri,ptdroid","com.mobileuncle.toolhero","com.huluxia.gametools", "com.gmail.heagoo.apkeditor.pro","com.sollyu.xposed.hook.m,odel.dev","com.txy.anywhere",
   "pro.burgerz.wsm.manager","com.virtualdroid.loc","com.virtualdroid.txl", "com.virtualdroid.wzs", "com.virtualdroid.kit", "com.virtualdroid.wxg","com.virtualdroid.gps", "top.a1024bytes.mockloc.ca.pro",
   "com.deruhai.guangzi.noroot2", "com.mcmonjmb.yggb", "xiake.xserver","com.dracrays.fakeloc",
   "net.anylocatio,n.ultra", "com.wifi99.android.locationcheater","com.dingweizshou"， "top.a1024bytes.mockloc.ca.pro","com.txy.anywhe,re.clone","com.dracrays.fakelocc","com.tandy.android.mockwxlocation","net.anylocation", "com.sigma_rt.total,control","com.chuangdian.ipjl2",".system/008Mode",".system/008OK", ".system/008system", "iGrimace",
   "/data/data/net.aisence.Touchelper",
   "/mnt/sdcard/touchelf/scripts/", "/mnt/sd,card/TouchSprite/lua", "/mnt/sdcard/TouchSprite/log", "/data/data/com.xxAssistant", "/mnt/sdcard/com.xxAssistant,/script","/data/data/com.cyjh.mobileanjian",
   以下是风险文件（资本家收集这些文件也挺不容易，我就放一半吧）：
   "file:///sdcard/fenshen/device.zip",
   "file:///data/local/tmp/configs",
   "file:///sdcard/fenshen/xiansi.json",
   "file:///sdcard/fenshen/gps.json",
   "file:///data/local/tmp/configs/.a",
   "file:///data/user_de/0/zpp.wjy.zposed.installer",
   以下是部分访问过的文件，残余的记录，不全：
   libc_fopen:
   /proc/self/maps
   libc_opendir:
   /data/system
   libc_opendir:
   /data/system
   libc_opendir:
   /data/system
   libc_opendir:
   /vendor/firmware
   libc_opendir:
   /system/bin
   libc_opendir:
   /vendor/lib
   libc_opendir:
   /system/framework
   libc_opendir:
   /system/fonts
   libc_opendir:
   /system/fonts
   libc_fopen:
   /proc/net/arp
   libc_socket:
   libc_socket:
   libc_access:
   /system/bin/su
   libc_access:
   /system/xbin/su
   libc_access:
   /sbin/su
   libc_fopen:
   /proc/self/maps
   libc_open:
   /system/bin/ls
   libc_access:
   /sys/class/thermal/thermal_zone0/temp
   libc_access:
   /sys/class/power_supply/battery/batt_vol_now
   libc_access:
   /sys/class/power_supply/battery/voltage_now
   libc_access:
   /proc/self/maps
   libc_fopen:
   /proc/self/maps
   libc_access:
   /proc/self/maps
   libc_fopen:
   /proc/self/maps
   libc_access:
   /sys/bus/virtio
   libc_access:
   /sys/class/net/wlan0
   libc_access:
   /sys/class/net/eth0
   libc_access:
   /proc/interrupts
   libc_fopen:
   /proc/interrupts
   libc_access:
   /proc/iomem
   libc_fopen:
   /proc/iomem
   libc_access:
   /proc/ioports
   libc_fopen:
   /proc/ioports
   libc_access:
   /proc/misc
   libc_fopen:
   /proc/misc
   libc_access:
   /proc/kallsyms
   libc_fopen:
   /proc/kallsyms
   libc_access:
   /proc/net/arp
   libc_fopen:
   /proc/net/arp
   libc_access:
   /proc/net/route
   libc_fopen:
   /proc/net/route
   libc_popen:
   cat /proc/sys/kernel/random/boot_id
   libc_fopen:
   /proc/sys/kernel/random/uuid
   /proc/sys/kernel/random/boot_id
   /proc/iomem
   /proc/ioports
   /proc/self/maps
   /proc/net/arp
   还有检测了快100多个java函数（太多了就放一点吧）：
   "clazz": "android/net/wifi/WifiManager",
   "method": "isWifiEnabled",
   "clazz": "android/location/Location",
   "method": "getLatitude",
   "clazz": "android/location/Location",
   "method": "getLongitude",
   "clazz": "android/location/LocationManager",
   "method": "getLastKnownLocation",
   "clazz": "android/location/LocationManager",
   "method": "getProviders",
   "clazz": "android/location/LocationManager",
   "method": "addGpsStatusListener",
   差不多检测的东西完了，然后用了两个加密函数，定位很easy，就不说了。
   到这里构造这几百个参数给服务器，服务器校验参数格式，校验设备是否合法，然后给我想要的东西。
   分析期间自研了一套分析工具，本人专注于app协议分析，协议漏洞挖掘，风控对抗（吹牛逼的）。
   技术交流tg：NpProblem1 , 啊sir 我是合法交流，如果有侵权地方，请先打钱

[培训]《安卓高级研修班(网课)》月薪三万计划，掌 握调试、分析还原ollvm、vmp的方法，定制art虚拟机自动化脱壳的方法