androidmanifest.xml 解码工具又来一发

背景：

最近这几天在研究facebook的协议，但是facebook的采用 SSL Pinning 技术，正常通过fiddler是不能解开SSL观察协议。

听说facebook app在 manifest里面使用了android新的配置，<application android:networkSecurityConfig="@xml/network_security_config">

因此，特别想看看facebook apk的manifest，有没有这个新配置。

但是用apktool来分析facebook apk又报错，于是自己撸一个小工具吧。

官方针对 networkSecurityConfig 配置说明

---

简要说明，androidmanifest.xml二进制数据结构：

关于androidmanifest的定义基本在/frameworks/base/libs/androidfw/include/androidfw/ResourceTypes.h 这个文件里

仔细看看这个文件发现androidmanifest文件结构很简单，不复杂。

androidmanifest.xml 头定义如下，共8个字节，后面就是独立的不同类型的chunk组成

/**
 * Header that appears at the front of every data chunk in a resource.
 */
struct ResChunk_header
{
    // Type identifier for this chunk.  The meaning of this value depends
    // on the containing chunk.
    uint16_t type;

    // Size of the chunk header (in bytes).  Adding this value to
    // the address of the chunk allows you to find its associated data
    // (if any).
    uint16_t headerSize;

    // Total size of this chunk (in bytes).  This is the chunkSize plus
    // the size of any data associated with the chunk.  Adding this value
    // to the chunk allows you to completely skip its contents (including
    // any child chunks).  If this value is the same as chunkSize, there is
    // no data associated with the chunk.
    uint32_t size;
};

---

如 ResStringPool_header:

/** ********************************************************************
*  String Pool
*
*  A set of strings that can be references by others through a
*  ResStringPool_ref.
*
*********************************************************************** */

/**
 * Definition for a pool of strings.  The data of this chunk is an
 * array of uint32_t providing indices into the pool, relative to
 * stringsStart.  At stringsStart are all of the UTF-16 strings
 * concatenated together; each starts with a uint16_t of the string's
 * length and each ends with a 0x0000 terminator.  If a string is >
 * 32767 characters, the high bit of the length is set meaning to take
 * those 15 bits as a high word and it will be followed by another
 * uint16_t containing the low word.
 *
 * If styleCount is not zero, then immediately following the array of
 * uint32_t indices into the string table is another array of indices
 * into a style table starting at stylesStart.  Each entry in the
 * style table is an array of ResStringPool_span structures.
 */
struct ResStringPool_header
{
    struct ResChunk_header header;

    // Number of strings in this pool (number of uint32_t indices that follow
    // in the data).
    uint32_t stringCount;

    // Number of style span arrays in the pool (number of uint32_t indices
    // follow the string indices).
    uint32_t styleCount;

    // Flags.
    enum {
        // If set, the string index is sorted by the string values (based
        // on strcmp16()).
        SORTED_FLAG = 1<<0,

        // String pool is encoded in UTF-8
        UTF8_FLAG = 1<<8
    };
    uint32_t flags;

    // Index from header of the string data.
    uint32_t stringsStart;

    // Index from header of the style data.
    uint32_t stylesStart;
};

知道了定义，就可以很方便写一个工具来解开二进制的androidmanifest.xml，转成纯文本的androidmanifest.xml

果然在facebook里面发现了最新的安全配置 android:networkSecurityConfig。

它表示facebook是采用自己的根证书，防止中间人攻击。

因此fiddler是不能解开facebook的ssl协议，只能是patch so文件来达到这个目的了。

---

我的小工具：

md 工具下载地址

使用的方法很简单，md 二进制androidmanifest.xml文件路径，即可以解开。