新普京娱乐Janus 二头神漏洞测试。Janus 二元神漏洞测试。

同步发表于,同步发表于

新普京娱乐 1

新普京娱乐 2

并发表于:http://blog.hacktons.cn/2017/12/25/janus-demo/

并上于:http://blog.hacktons.cn/2017/12/25/janus-demo/

背景

12月9号,Andorid对外曝光了一个誉为也Janus的重量级系统漏洞CVE-2017-13156),
由安全研究公司Guard
Square发现。
Janus原意是神话中之第二元身,用于描述是漏洞尚真是贴切。

新普京娱乐 3

任何漏洞其实建立在文件校验规则之上:

一个文本就凡是APK,又是DEX,在安装APK和推行等的校验规则差异,导致可以以APK头部附加一个黑心DEX来欺骗系统

下面我们由市场及无限制下载一个apk来做测试。

背景

12月9如泣如诉,Andorid对外曝光了一个名为吧Janus的重量级系统漏洞CVE-2017-13156),
由安全研究公司Guard
Square发现。
Janus原意是神话中之第二元身,用于描述是漏洞尚真是贴切。

新普京娱乐 4

一体漏洞其实建立于文件校验规则之上:

一个文书就凡APK,又是DEX,在装置APK和行阶段的校验规则差异,导致可以以APK头部附加一个恶心DEX来诈系统

脚我们打市场及无限制下载一个apk来开测试。

测试APK

本文涉及的测试APK,只用于单击研究之用,请勿恶意散播或上传,由此引发的纠纷与作者无关

可打豌豆荚,应用宝等市场下一个测试用之APK,为了便利,我们得选用一些体积比小的apk,如果apk较生要命有或由此了蕴藏,替换工作会麻烦点。
新普京娱乐 5

此处比恶心的是,下充斥及的apk并无是我们挑选的安包,而是豌豆荚市场,既然豌豆荚这么强势要入镜,那么姑且直接解析豌豆荚市场吧。

新普京娱乐 6

MD5 (Wandoujia_224660_web_inner_referral_binded.apk) = d3c1d9b2a74a3f8fd9fce38d38423c58

测试APK

本文涉及的测试APK,只用于单击研究之用,请勿恶意散播或上传,由此引发的纠纷与作者无关

可从豌豆荚,应用宝等市场下一个测试用之APK,为了便利,我们用选用一些体积比较小之apk,如果apk较生老有或通过了蕴藏,替换工作会晤麻烦点。
新普京娱乐 7

这边比较恶心的凡,下充斥及的apk并无是我们选的安包,而是豌豆荚市场,既然豌豆荚这么强势要入镜,那么姑且直接解析豌豆荚市场吧。

新普京娱乐 8

MD5 (Wandoujia_224660_web_inner_referral_binded.apk) = d3c1d9b2a74a3f8fd9fce38d38423c58

签名检查

第一检查下豌豆荚的斯apk是匪是v2签名的,因为我们而测试的Janus只能在v1下验证

自我批评签名信方可经过*.SF来认可,根据公开信息,如果v2签名的话,会在SF文件内写副一个字段X-Android-APK-Signed:2
豌豆荚的SF文件名字是META-INF/DEAMON2.SF,
比较幸运啊,可以肯定该利用的就是是v1签名。

aven$ unzip -l Wandoujia_224660_web_inner_referral_binded.apk |grep META-INF
   120009  12-15-17 14:38   META-INF/MANIFEST.MF
   120130  12-15-17 14:38   META-INF/DEAMON2.SF
      891  12-15-17 14:38   META-INF/DEAMON2.RSA

aven$ unzip -p Wandoujia_224660_web_inner_referral_binded.apk META-INF/DEAMON2.SF|less
Signature-Version: 1.0
SHA1-Digest-Manifest-Main-Attributes: jq/6qzaCk3O+H4OBJsDhMXm+FvE=
Created-By: 1.6.0_30 (Sun Microsystems Inc.)
SHA1-Digest-Manifest: Dts4zfEM9pZstNDahVfVh4e4jGA=

Name: res/drawable-xhdpi-v4/il.png
SHA1-Digest: QCves3Cr/wm3X2w4PR4ESXGMBOw=

Name: res/layout/dh.xml
SHA1-Digest: DCuKb0PRLuNV6jTEbSDGMTEW174=

签名检查

第一检查下豌豆荚的斯apk是免是v2签名的,因为我们而测试的Janus只能在v1下验证

自我批评签名信方可经*.SF来认可,根据公开信息,如果v2签名的话,会在SF文件内写副一个字段X-Android-APK-Signed:2
豌豆荚的SF文件名字是META-INF/DEAMON2.SF,
比较幸运啊,可以肯定该行使的哪怕是v1签名。

aven$ unzip -l Wandoujia_224660_web_inner_referral_binded.apk |grep META-INF
   120009  12-15-17 14:38   META-INF/MANIFEST.MF
   120130  12-15-17 14:38   META-INF/DEAMON2.SF
      891  12-15-17 14:38   META-INF/DEAMON2.RSA

aven$ unzip -p Wandoujia_224660_web_inner_referral_binded.apk META-INF/DEAMON2.SF|less
Signature-Version: 1.0
SHA1-Digest-Manifest-Main-Attributes: jq/6qzaCk3O+H4OBJsDhMXm+FvE=
Created-By: 1.6.0_30 (Sun Microsystems Inc.)
SHA1-Digest-Manifest: Dts4zfEM9pZstNDahVfVh4e4jGA=

Name: res/drawable-xhdpi-v4/il.png
SHA1-Digest: QCves3Cr/wm3X2w4PR4ESXGMBOw=

Name: res/layout/dh.xml
SHA1-Digest: DCuKb0PRLuNV6jTEbSDGMTEW174=

包名确认

搭下去我们用结构一个初的dex,嫁接到豌豆荚的apk前面;这里要承认豌豆荚使用的包名:com.wandoujia.phoenix2

package: name='com.wandoujia.phoenix2' versionCode='16861' versionName='5.68.21'
sdkVersion:'14'
targetSdkVersion:'16'

除此以外值得一提的凡,豌豆荚的权力还是比流氓的会见要求大量机警权限,因此在动该市场之当儿注意权限的题目,否则很有或裸奔了:

比如读/写少信,读/写通讯录等等,还有局部叔在权限

uses-permission:'android.permission.READ_SMS'
uses-permission:'android.permission.RECEIVE_SMS'
uses-permission:'android.permission.MANAGE_ACCOUNTS'
uses-permission:'android.permission.AUTHENTICATE_ACCOUNTS'
uses-permission:'android.permission.USE_CREDENTIALS'
uses-permission:'android.permission.READ_SETTINGS'
uses-permission:'android.permission.READ_EXTERNAL_STORAGE'
uses-permission:'android.permission.SEND_SMS'
uses-permission:'android.permission.WRITE_EXTERNAL_STORAGE'
uses-permission:'android.permission.MOUNT_UNMOUNT_FILESYSTEMS'
uses-permission:'android.permission.INTERNET'
uses-permission:'android.permission.ACCESS_NETWORK_STATE'
uses-permission:'android.permission.ACCESS_WIFI_STATE'
uses-permission:'android.permission.CHANGE_WIFI_STATE'
uses-permission:'android.permission.CHANGE_WIFI_MULTICAST_STATE'
uses-permission:'android.permission.SET_WALLPAPER'
uses-permission:'android.permission.SET_WALLPAPER_HINTS'
uses-permission:'android.permission.WRITE_SETTINGS'
uses-permission:'android.permission.CAMERA'
uses-permission:'android.permission.FLASHLIGHT'
uses-permission:'com.android.launcher.permission.INSTALL_SHORTCUT'
uses-permission:'com.android.launcher.permission.UNINSTALL_SHORTCUT'
uses-permission:'android.permission.READ_PHONE_STATE'
uses-permission:'android.permission.MODIFY_AUDIO_SETTINGS'
uses-permission:'android.permission.SYSTEM_ALERT_WINDOW'
uses-permission:'android.permission.ACCESS_SUPPERUSER'
uses-permission:'android.permission.GET_PACKAGE_SIZE'
uses-permission:'android.permission.KILL_BACKGROUND_PROCESSES'
uses-permission:'android.permission.CLEAR_APP_CACHE'
uses-permission:'android.permission.DISABLE_KEYGUARD'
uses-permission:'com.android.launcher.permission.READ_SETTINGS'
uses-permission:'com.android.launcher.permission.WRITE_SETTINGS'
uses-permission:'com.android.launcher3.permission.READ_SETTINGS'
uses-permission:'com.android.launcher3.permission.WRITE_SETTINGS'
uses-permission:'com.meizu.flyme.launcher.permission.READ_SETTINGS'
uses-permission:'com.meizu.flyme.launcher.permission.WRITE_SETTINGS'
uses-permission:'org.adw.launcher.permission.READ_SETTINGS'
uses-permission:'org.adw.launcher.permission.WRITE_SETTINGS'
uses-permission:'com.qihoo360.launcher.permission.READ_SETTINGS'
uses-permission:'com.qihoo360.launcher.permission.WRITE_SETTINGS'
uses-permission:'com.lge.launcher.permission.READ_SETTINGS'
uses-permission:'com.lge.launcher.permission.WRITE_SETTINGS'
uses-permission:'net.qihoo.launcher.permission.READ_SETTINGS'
uses-permission:'net.qihoo.launcher.permission.WRITE_SETTINGS'
uses-permission:'org.adwfreak.launcher.permission.READ_SETTINGS'
uses-permission:'org.adwfreak.launcher.permission.WRITE_SETTINGS'
uses-permission:'com.huawei.launcher3.permission.READ_SETTINGS'
uses-permission:'com.huawei.launcher3.permission.WRITE_SETTINGS'
uses-permission:'com.fede.launcher.permission.READ_SETTINGS'
uses-permission:'com.fede.launcher.permission.WRITE_SETTINGS'
uses-permission:'com.sec.android.app.twlauncher.settings.READ_SETTINGS'
uses-permission:'com.sec.android.app.twlauncher.settings.WRITE_SETTINGS'
uses-permission:'com.anddoes.launcher.permission.READ_SETTINGS'
uses-permission:'com.anddoes.launcher.permission.WRITE_SETTINGS'
uses-permission:'com.lenovo.launcher.permission.READ_SETTINGS'
uses-permission:'com.lenovo.launcher.permission.WRITE_SETTINGS'
uses-permission:'com.google.android.launcher.permission.READ_SETTINGS'
uses-permission:'com.google.android.launcher.permission.WRITE_SETTINGS'
uses-permission:'com.oppo.launcher.permission.WRITE_SETTINGS'
uses-permission:'com.oppo.launcher.permission.READ_SETTINGS'
uses-permission:'com.yulong.android.launcher3.permission.WRITE_SETTINGS'
uses-permission:'com.yulong.android.launcher3.permission.READ_SETTINGS'
uses-permission:'com.huawei.android.launcher.permission.READ_SETTINGS'
uses-permission:'com.huawei.android.launcher.permission.WRITE_SETTINGS'
uses-permission:'com.htc.launcher.permission.READ_SETTINGS'
uses-permission:'com.htc.launcher.permission.WRITE_SETTINGS'
uses-permission:'com.bbk.launcher2.permission.READ_SETTINGS'
uses-permission:'com.bbk.launcher2.permission.WRITE_SETTINGS'
uses-permission:'android.permission.WAKE_LOCK'
uses-permission:'android.permission.BROADCAST_PACKAGE_ADDED'
uses-permission:'android.permission.BROADCAST_PACKAGE_CHANGED'
uses-permission:'android.permission.BROADCAST_PACKAGE_INSTALL'
uses-permission:'android.permission.BROADCAST_PACKAGE_REPLACED'
uses-permission:'android.permission.RESTART_PACKAGES'
uses-permission:'android.permission.GET_TASKS'
uses-permission:'android.permission.RECEIVE_BOOT_COMPLETED'
uses-permission:'android.permission.CHANGE_NETWORK_STATE'
uses-permission:'android.permission.GET_ACCOUNTS'
uses-permission:'android.permission.VIBRATE'
uses-permission:'android.permission.BIND_ACCESSIBILITY_SERVICE'
uses-permission:'android.permission.READ_CONTACTS'
uses-permission:'android.permission.WRITE_CONTACTS'
uses-permission:'android.permission.CALL_PHONE'
uses-permission:'android.permission.WRITE_SMS'
uses-permission:'android.permission.WRITE_CALL_LOG'
uses-permission:'android.permission.READ_CALL_LOG'
uses-permission:'android.permission.AUTHENTICATE_ACCOUNTS'
uses-permission:'android.permission.WRITE_SYNC_SETTINGS'
uses-permission:'android.permission.MANAGE_ACCOUNTS'
uses-permission:'android.permission.ACCESS_FINE_LOCATION'
uses-permission:'android.permission.ACCESS_COARSE_LOCATION'
uses-permission:'com.wandoujia.phoenix2.permission.MIPUSH_RECEIVE'
uses-permission:'android.permission.PACKAGE_USAGE_STATS'
uses-permission:'android.permission.PERSISTENT_ACTIVITY'
uses-permission:'android.permission.ACCESS_MTK_MMHW'

包名确认

属下去我们需要结构一个初的dex,嫁接到豌豆荚的apk前面;这里需要承认豌豆荚使用的包名:com.wandoujia.phoenix2

package: name='com.wandoujia.phoenix2' versionCode='16861' versionName='5.68.21'
sdkVersion:'14'
targetSdkVersion:'16'

另外值得一提的凡,豌豆荚的权力还是于流氓的会晤要求大量快权限,因此当采取该市场的下注意权限的题材,否则很有或裸奔了:

论读/写少信,读/写通讯录等等,还有一对叔着权限

uses-permission:'android.permission.READ_SMS'
uses-permission:'android.permission.RECEIVE_SMS'
uses-permission:'android.permission.MANAGE_ACCOUNTS'
uses-permission:'android.permission.AUTHENTICATE_ACCOUNTS'
uses-permission:'android.permission.USE_CREDENTIALS'
uses-permission:'android.permission.READ_SETTINGS'
uses-permission:'android.permission.READ_EXTERNAL_STORAGE'
uses-permission:'android.permission.SEND_SMS'
uses-permission:'android.permission.WRITE_EXTERNAL_STORAGE'
uses-permission:'android.permission.MOUNT_UNMOUNT_FILESYSTEMS'
uses-permission:'android.permission.INTERNET'
uses-permission:'android.permission.ACCESS_NETWORK_STATE'
uses-permission:'android.permission.ACCESS_WIFI_STATE'
uses-permission:'android.permission.CHANGE_WIFI_STATE'
uses-permission:'android.permission.CHANGE_WIFI_MULTICAST_STATE'
uses-permission:'android.permission.SET_WALLPAPER'
uses-permission:'android.permission.SET_WALLPAPER_HINTS'
uses-permission:'android.permission.WRITE_SETTINGS'
uses-permission:'android.permission.CAMERA'
uses-permission:'android.permission.FLASHLIGHT'
uses-permission:'com.android.launcher.permission.INSTALL_SHORTCUT'
uses-permission:'com.android.launcher.permission.UNINSTALL_SHORTCUT'
uses-permission:'android.permission.READ_PHONE_STATE'
uses-permission:'android.permission.MODIFY_AUDIO_SETTINGS'
uses-permission:'android.permission.SYSTEM_ALERT_WINDOW'
uses-permission:'android.permission.ACCESS_SUPPERUSER'
uses-permission:'android.permission.GET_PACKAGE_SIZE'
uses-permission:'android.permission.KILL_BACKGROUND_PROCESSES'
uses-permission:'android.permission.CLEAR_APP_CACHE'
uses-permission:'android.permission.DISABLE_KEYGUARD'
uses-permission:'com.android.launcher.permission.READ_SETTINGS'
uses-permission:'com.android.launcher.permission.WRITE_SETTINGS'
uses-permission:'com.android.launcher3.permission.READ_SETTINGS'
uses-permission:'com.android.launcher3.permission.WRITE_SETTINGS'
uses-permission:'com.meizu.flyme.launcher.permission.READ_SETTINGS'
uses-permission:'com.meizu.flyme.launcher.permission.WRITE_SETTINGS'
uses-permission:'org.adw.launcher.permission.READ_SETTINGS'
uses-permission:'org.adw.launcher.permission.WRITE_SETTINGS'
uses-permission:'com.qihoo360.launcher.permission.READ_SETTINGS'
uses-permission:'com.qihoo360.launcher.permission.WRITE_SETTINGS'
uses-permission:'com.lge.launcher.permission.READ_SETTINGS'
uses-permission:'com.lge.launcher.permission.WRITE_SETTINGS'
uses-permission:'net.qihoo.launcher.permission.READ_SETTINGS'
uses-permission:'net.qihoo.launcher.permission.WRITE_SETTINGS'
uses-permission:'org.adwfreak.launcher.permission.READ_SETTINGS'
uses-permission:'org.adwfreak.launcher.permission.WRITE_SETTINGS'
uses-permission:'com.huawei.launcher3.permission.READ_SETTINGS'
uses-permission:'com.huawei.launcher3.permission.WRITE_SETTINGS'
uses-permission:'com.fede.launcher.permission.READ_SETTINGS'
uses-permission:'com.fede.launcher.permission.WRITE_SETTINGS'
uses-permission:'com.sec.android.app.twlauncher.settings.READ_SETTINGS'
uses-permission:'com.sec.android.app.twlauncher.settings.WRITE_SETTINGS'
uses-permission:'com.anddoes.launcher.permission.READ_SETTINGS'
uses-permission:'com.anddoes.launcher.permission.WRITE_SETTINGS'
uses-permission:'com.lenovo.launcher.permission.READ_SETTINGS'
uses-permission:'com.lenovo.launcher.permission.WRITE_SETTINGS'
uses-permission:'com.google.android.launcher.permission.READ_SETTINGS'
uses-permission:'com.google.android.launcher.permission.WRITE_SETTINGS'
uses-permission:'com.oppo.launcher.permission.WRITE_SETTINGS'
uses-permission:'com.oppo.launcher.permission.READ_SETTINGS'
uses-permission:'com.yulong.android.launcher3.permission.WRITE_SETTINGS'
uses-permission:'com.yulong.android.launcher3.permission.READ_SETTINGS'
uses-permission:'com.huawei.android.launcher.permission.READ_SETTINGS'
uses-permission:'com.huawei.android.launcher.permission.WRITE_SETTINGS'
uses-permission:'com.htc.launcher.permission.READ_SETTINGS'
uses-permission:'com.htc.launcher.permission.WRITE_SETTINGS'
uses-permission:'com.bbk.launcher2.permission.READ_SETTINGS'
uses-permission:'com.bbk.launcher2.permission.WRITE_SETTINGS'
uses-permission:'android.permission.WAKE_LOCK'
uses-permission:'android.permission.BROADCAST_PACKAGE_ADDED'
uses-permission:'android.permission.BROADCAST_PACKAGE_CHANGED'
uses-permission:'android.permission.BROADCAST_PACKAGE_INSTALL'
uses-permission:'android.permission.BROADCAST_PACKAGE_REPLACED'
uses-permission:'android.permission.RESTART_PACKAGES'
uses-permission:'android.permission.GET_TASKS'
uses-permission:'android.permission.RECEIVE_BOOT_COMPLETED'
uses-permission:'android.permission.CHANGE_NETWORK_STATE'
uses-permission:'android.permission.GET_ACCOUNTS'
uses-permission:'android.permission.VIBRATE'
uses-permission:'android.permission.BIND_ACCESSIBILITY_SERVICE'
uses-permission:'android.permission.READ_CONTACTS'
uses-permission:'android.permission.WRITE_CONTACTS'
uses-permission:'android.permission.CALL_PHONE'
uses-permission:'android.permission.WRITE_SMS'
uses-permission:'android.permission.WRITE_CALL_LOG'
uses-permission:'android.permission.READ_CALL_LOG'
uses-permission:'android.permission.AUTHENTICATE_ACCOUNTS'
uses-permission:'android.permission.WRITE_SYNC_SETTINGS'
uses-permission:'android.permission.MANAGE_ACCOUNTS'
uses-permission:'android.permission.ACCESS_FINE_LOCATION'
uses-permission:'android.permission.ACCESS_COARSE_LOCATION'
uses-permission:'com.wandoujia.phoenix2.permission.MIPUSH_RECEIVE'
uses-permission:'android.permission.PACKAGE_USAGE_STATS'
uses-permission:'android.permission.PERSISTENT_ACTIVITY'
uses-permission:'android.permission.ACCESS_MTK_MMHW'

Hack

属下开始编码工作,明确下我们的目标:

  • 替换Application,并且以app进程启动时弹出一个toast;
  • 轮换启动页,显示一个不同寻常文案;

为此首先安确认下豌豆荚的自定义application:com.pp.assistant.PPApplication

aven$ aapt dump xmltree Wandoujia_224660_web_inner_referral_binded.apk AndroidManifest.xml|less

    E: application (line=155)
      A: android:theme(0x01010000)=@0x7f0a0001
      A: android:label(0x01010001)=@0x7f0c038a
      A: android:icon(0x01010002)=@0x7f02009d
      A: android:name(0x01010003)="com.pp.assistant.PPApplication" (Raw: "com.pp.assistant.PPApplication")
      A: android:stateNotNeeded(0x01010016)=(type 0x12)0xffffffff
      A: android:windowSoftInputMode(0x0101022b)=(type 0x11)0x3
      A: android:allowBackup(0x01010280)=(type 0x12)0xffffffff

开创同名的PPApplication的,然后加上toast即可,接下编译得到新的apk,并拿内的dex抽离出来备用。

Hack

搭下去开始编码工作,明确下我们的目标:

  • 替换Application,并且以app进程启动时弹出一个toast;
  • 轮换启动页,显示一个奇异文案;

之所以首先安确认下豌豆荚的自定义application:com.pp.assistant.PPApplication

aven$ aapt dump xmltree Wandoujia_224660_web_inner_referral_binded.apk AndroidManifest.xml|less

    E: application (line=155)
      A: android:theme(0x01010000)=@0x7f0a0001
      A: android:label(0x01010001)=@0x7f0c038a
      A: android:icon(0x01010002)=@0x7f02009d
      A: android:name(0x01010003)="com.pp.assistant.PPApplication" (Raw: "com.pp.assistant.PPApplication")
      A: android:stateNotNeeded(0x01010016)=(type 0x12)0xffffffff
      A: android:windowSoftInputMode(0x0101022b)=(type 0x11)0x3
      A: android:allowBackup(0x01010280)=(type 0x12)0xffffffff

缔造同名的PPApplication的,然后加上toast即可,接下去编译得到新的apk,并以内部的dex抽离出来备用。

插曲

以其实插入dex的时段,遇到了部分小插曲,比如插入了后,启动崩溃,所以要是插全新的dex的语句,需要承认和初dex的涉嫌,如果全摒弃原有逻辑,那么需要手动补全manifest中声称的ContentProviderBroadcastReceiver,Activity根据需要替换,Service可选替换

此外合并apk和dex不是简单的字节叠加,需要改最终apk的偏移量,确保zip的不易。笔者使用的凡一个Python脚本

https://github.com/V-E-O/PoC/tree/master/CVE-2017-13156

插曲

以实质上插入dex的早晚,遇到了有些小插曲,比如插入了晚,启动崩溃,所以如果是插全新的dex的话语,需要肯定与初dex的关系,如果完全摒弃原有逻辑,那么得手动补全manifest中声明的ContentProviderBroadcastReceiver,Activity根据需要替换,Service可选替换

此外合并apk和dex不是简单的字节叠加,需要改最终apk的偏移量,确保zip的是。笔者利用的是一个Python脚本

https://github.com/V-E-O/PoC/tree/master/CVE-2017-13156

效果

搞定之后,可以一直装apk,也可挂升级安装,接下去启动app就可以看到全两样之功用;

以此我们是因为实验性质,将豌豆荚市场的application和开行Activity做了完全替换,因此直感受就是是初逻辑全部没了,如果我们经过反编译后增量修改的不二法门来新添dex,纳闷可以兑现和原app功能几乎相同的串改,这样好恶意插入代码,同时不爱为用户发现。

新普京娱乐 9

效果

搞定之后,可以直接设置apk,也可挂升级安装,接下启动app就可以看到完全不同的功用;

在此处我们由实验性质,将豌豆荚市场之application和开行Activity做了整机替换,因此直感受就是原来逻辑全部从未有过了,如果我们由此反编译后增量修改的法子来新增加dex,纳闷可以兑现与原a新普京娱乐pp功能几乎如出一辙的串改,这样可以恶意插入代码,同时不便于让用户发现。

新普京娱乐 10

修复

斯bug看起格外严重的,不过事实上影响甚微,如果用户通过专业市场下载程序基本没什么问题,同时Android官方已经召开fix,相信后续很快便会当新本子中生效。
对于开发者来说比较低落,最好升级签名吗V2,别的就无遮挡措施了,比较问题有当系校验上面。

修复

以此bug看起挺严重的,不过事实上影响甚微,如果用户通过正式市场下载程序基本没什么问题,同时Android官方已经召开fix,相信后续很快便会当新本子中生效。
对于开发者来说比较低落,最好升级签名吗V2,别的就从未有过遮挡措施了,比较问题时有发生当系校验上面。