XPrivacy
XPrivacy copied to clipboard
M66B
Advertising ID not hooked for some applications
Applications can get Advertising ID bypassing standard methods (getId) if use this code http://stackoverflow.com/questions/20097506/using-the-new-android-advertiser-id-inside-an-sdk
This can only be prevented by hooking in the service that provides the advertising ID. Unfortunately this is not possible, because this service is closed source. I could hook into the Binder, which I did before, but the big disadvantage is a system wide degraded performance.
Hmm is there perhaps a way to change the Advertising ID itself, since this can be done by hand as well? There is no real use for it anyway, so I'm sure all users would be fine with Xprivacy's changing the ID every time a new application starts, or something like that.
Not a random application, but Xprivacy? We can now reset it through some menu in the Google application. If Xprivacy were to change/reset the ID on a regular basis, that would protect users from being tracked that way fairly well?
For Google Play services, XPrivacy is just a random application. The problem here it is closed source, so honking is not an option.
Oh, in that way, I see. Too bad there isn't an intent to do that or something.
I try to play with code and here is result:
XposedHelpers.findAndHookMethod("android.os.BinderProxy", loadPackageParam.classLoader, "transact", int.class, Parcel.class, Parcel.class, int.class, new XC_MethodHook() {
protected void afterHookedMethod(XC_MethodHook.MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
IBinder binder = (IBinder) param.thisObject;
String interfaceBinder = binder.getInterfaceDescriptor();
if (interfaceBinder.equals("com.google.android.gms.ads.identifier.internal.IAdvertisingIdService")) {
// change result for readString
}
}
});
I think this code would work if change data in reply parcel.
Yes, I know this will work, but check how many calls are done to transact to see what the performance impact is.
See also this source: https://github.com/M66B/XPrivacy/blob/master/src/biz/bokhorst/xprivacy/XBinder.java
I'd love to, but I can not deal with the substitution data Parcel. Can you show me the direction to solve this problem?
Hook into android.os.Binder.execTransact (this is safer, because it is at the service side, which cannot be unhooked).
Then in "before" create a new parcel with the right layout and values, see here for how to create a new parcel: https://github.com/M66B/XPrivacy/blob/master/src/biz/bokhorst/xprivacy/XBinder.java#L311 and see here for how to write to the parcel: http://developer.android.com/reference/android/os/Parcel.html
One little concern: the parcel layout may be version dependent, but lets ignore that for now.
Nice challenge for a Sunday morning ;-)
If you use Hangouts/XMPP and want to chat, please contact me here to exchange addresses if you like: http://forum.faircode.eu/contact/
This is the layout of the Parcel (taken from StackOverflow):
reply.readException();
id = reply.readString();
So, create the fake Parcel with:
writeNoException();
writeString(fakeValue);
One other thing: you should test for the transaction code:
binder.transact(1, data, reply, 0);
So, like this:
int code = (Integer) param.args[0];
if (code == 1)
...
Now i have this code
int code = (Integer) param.args[0];
if (code == 1) {
Method methodObtain = Parcel.class.getDeclaredMethod("obtain");
methodObtain.setAccessible(true);
Parcel reply = (Parcel) methodObtain.invoke(null, param.args[2]);
reply.writeNoException();
reply.writeString("a7bf815a-c37b-40db-be9d-3b395abbe888");
}
param.setResult(true);
but in this case i got error "java.lang.IllegalArgumentException: wrong number of arguments; expected 0, got 1" on line with code "Parcel reply = (Parcel) methodObtain.invoke(null, param.args[2]);"
Change to:
Method methodObtain = Parcel.class.getDeclaredMethod("obtain", int.class);
Note that this has been changed on Lollipop:
http://grepcode.com/file/repository.grepcode.com/java/ext/com.google.android/android/5.0.2_r1/android/os/Parcel.java#Parcel.obtain%28int%29
Also, you need this to rewrite the Parcel:
reply.setDataPosition(0);
Ok. This code should work, but not worked. I am confused (
XposedHelpers.findAndHookMethod("android.os.Binder", loadPackageParam.classLoader, "execTransact", int.class, long.class, long.class, int.class, new XC_MethodHook() {
protected void beforeHookedMethod(XC_MethodHook.MethodHookParam param) throws Throwable {
super.beforeHookedMethod(param);
IBinder binder = (IBinder) param.thisObject;
String interfaceBinder = binder.getInterfaceDescriptor();
if (interfaceBinder.equals("com.google.android.gms.ads.identifier.internal.IAdvertisingIdService")) {
int code = (Integer) param.args[0];
if (code == 1) {
Method methodObtain = Parcel.class.getDeclaredMethod("obtain", int.class);
methodObtain.setAccessible(true);
Parcel reply = (Parcel) methodObtain.invoke(null, param.args[2]);
reply.setDataPosition(0);
reply.writeNoException();
reply.writeString("a7bf815a-c37b-40db-be9d-3b395abbe888");
}
param.setResult(true);
}
}
});
I got error java.lang.NoSuchMethodError: android.os.Binder#execTransact(int,long,long,int)#exact
Which Android version are you using?
Android 5.x: http://grepcode.com/file/repository.grepcode.com/java/ext/com.google.android/android/5.0.2_r1/android/os/Binder.java#435
Earlier versions: http://grepcode.com/file/repository.grepcode.com/java/ext/com.google.android/android/4.4.4_r1/android/os/Binder.java#393
Then change to:
XposedHelpers.findAndHookMethod("android.os.Binder", loadPackageParam.classLoader, "execTransact", int.class, int.class, int.class, int.class, new XC_MethodHook() {
You are amazing ). I was not able to solve this problem for 3 days. Thank you very much. Sorry, but i don't know how to create pull request. Worked code.
XposedHelpers.findAndHookMethod("android.os.Binder", loadPackageParam.classLoader, "execTransact", int.class, int.class, int.class, int.class, new XC_MethodHook() {
protected void beforeHookedMethod(XC_MethodHook.MethodHookParam param) throws Throwable {
super.beforeHookedMethod(param);
IBinder binder = (IBinder) param.thisObject;
String interfaceBinder = binder.getInterfaceDescriptor();
if (interfaceBinder.equals("com.google.android.gms.ads.identifier.internal.IAdvertisingIdService")) {
int code = (Integer) param.args[0];
if (code == 1) {
Method methodObtain = Parcel.class.getDeclaredMethod("obtain", int.class);
methodObtain.setAccessible(true);
Parcel reply = (Parcel) methodObtain.invoke(null, param.args[2]);
reply.setDataPosition(0);
reply.writeNoException();
reply.writeString("a7bf815a-c37b-40db-be9d-3b395abbe888");
param.setResult(true);
}
}
}
});
Best regards from Ukraine.
You will first have to integrate this code into XPrivacy. Take a look at the XBinder class (or any other X-class) about how to do this and write a similar class, which you should reference from XPrivacy. You'll see it is simple.
XPrivacy uses an abstraction layer around Xposed, so it can easily be replaced by another framework.
I can do this easily, but I think it is good if others learn how to do this as well.
I have to add that Parcel.obtain takes long as argument, not int. I tried this code and have exception. Android 5.1.1
Thnx! and if it is part of universal module, what is the best way to solve it?