简体繁体 English

SourceDNA如何跟踪应用程序使用的SDK

[英]How does SourceDNA track SDKs used by apps

原文 2015-04-21 15:05:15 6 2 ios/ sdk/ reverse-engineering

I just got done reading the press hysteria around AFNetworking exposing apps to a man in the middle attack. 我刚刚读完有关AFNetworking的新闻歇斯底里，将应用程序暴露给中级攻击者。 I was surprised that sourcedna.com claims 我很惊讶sourcedna.com声称

SourceDNA analyzes the code in thousands of iOS & Android apps. SourceDNA分析数千个iOS和Android应用程序中的代码。

sourcedna.com even has a search engine to report whether a vendor's apps use the AFNetworking SDK. sourcedna.com甚至有一个搜索引擎来报告供应商的应用程序是否使用了AFNetworking SDK。

Considering they don't have access to paid apps, how do they claim to do this? 考虑到他们无权使用付费应用程序，他们如何声称这样做？ Do SDKs like AFNetworking log SDK use in some form? AFNetworking日志SDK等SDK是否以某种形式使用？ If so, to who? 如果是这样，给谁？

2 个解决方案

I am curious about this too. 我对此也很好奇。 Here is what I gather: 这是我收集的内容：

SourceDNA only checks whether the library is linked into the app binary. SourceDNA仅检查该库是否链接到应用程序二进制文件。 They do not check how or whether the library is actually used by the app. 他们不检查应用程序实际使用库的方式或方式。

Objective-C is a dynamic language and keeps a lot of metadata in the binary. Objective-C是一种动态语言，在二进制文件中保留了许多元数据。 You can trivially run tools like class-dump or otool -ov on any unencrypted binary and it will list the names and inheritance of all classes, and the names and signatures of all methods and instance variables in each class, among other things. 您可以在任何未加密的二进制文件上简单地运行class-dump或otool -ov class-dump工具，它会列出所有类的名称和继承，以及每个类中所有方法和实例变量的名称和签名，以及其他内容。

Libraries like AFNetworking have many distinctive class names that they can check for in the list of classes in the app. 像AFNetworking这样的库具有许多独特的类名称，可以在应用程序的类列表中进行检查。 Each version will have some added or removed methods and/or instance variables, so by checking the class dump from the app against the class declarations from each version of the library, they can figure out the version of the library used. 每个版本都有一些添加或删除的方法和/或实例变量，因此通过对照每个库版本的类声明检查应用程序中的类转储，他们可以找出所使用库的版本。

However, apps downloaded from the App Store are encrypted; 但是，从App Store下载的应用程序已加密。 and the App Store is the only way that SourceDNA could have gotten these apps. 而App Store是SourceDNA可以获取这些应用程序的唯一方法。 It is possible to decrypt / crack encrypted apps (that is how people pirate paid apps -- they buy them, crack them, and post the unencrypted binaries on pirate websites), but the common way to do this I believe involves buying and running the app on a jailbroken device. 可以对加密的应用程序进行解密/破解（这就是人们盗版付费应用程序的方式-他们购买，破解它们，然后将未加密的二进制文件发布到盗版网站上），但是我认为通常的实现方式涉及购买和运行越狱设备上的应用程序。

I assume that the SourceDNA people must have automated this process somehow, so that they can automatically report on thousands of apps. 我假设SourceDNA人员必须以某种方式使此过程自动化，以便他们可以自动报告数千个应用程序。

As I replied to @janselrx, I believe it's as I suspected and they can only analyze free apps. 正如我回复@janselrx一样，我相信这是我所怀疑的，他们只能分析免费应用程序。 From their website: 从他们的网站：

SourceDNA analyzes the code in thousands of iOS & Android apps. SourceDNA分析数千个iOS和Android应用程序中的代码。 This report lets you explore recent data about the mobile SDKs and tools found in the top 500 free apps. 此报告可让您浏览有关前500个免费应用程序中的移动SDK和工具的最新数据。