iOS应用程序Display Recorder如何在不使用私有API的情况下记录屏幕? [英] How does the iOS app Display Recorder record the screen without using private API?
问题描述
iOS应用显示记录器声称是能够记录iOS设备的屏幕,即使它在后台。鉴于 UIGetScreenImage()是私有API,并且当Apple运行的静态分析检测到时,将导致拒绝提交应用程序,他们如何能够在批准的情况下执行此录制应用程序?
The iOS app Display Recorder claims to be able to record the screen of an iOS device, even while it is in the background. Given that UIGetScreenImage() is private API and will lead to a rejection on application submission when detected by the static analysis Apple runs, how were they able to do this recording in an approved application?
此外,该应用程序会在记录时在屏幕顶部显示一个红色条,类似于原生iOS的电话功能。
Additionally, the app causes a red bar to appear at the top of the screen while it records, similar to the native iOS's phone call functionality.
我有一段时间以来一直是iOS开发人员,我有点难以理解这一点,甚至在外面将红色条放在顶部的细节该应用程序。我的印象是,当应用程序在后台运行时,我们基本上无法控制正在发生的事情,缺少一些关键功能(如音频播放等)。
I've been an iOS developer for awhile, and I'm a bit stumped at how this was even done, even down to the detail of putting the red bar at the top when outside of the app. I was under the impression we basically had no control of what's happening when the app runs in the background, short of some key pieces of functionality (like audio playing, etc).
即使开发人员使用私有API /库来完成此任务,他们如何能够以审核期间未检测到的方式执行此操作?我很抱歉,如果我遗漏了iOS的更高版本中引入的明显内容。
Even if the developer tapped into private API/libraries to accomplish this, how were they able to do this in a way that wasn't detected during review? My apologies if I'm missing something obvious that was introduced with a later version of iOS here.
推荐答案
查看它和它没有链接到IOSurface。但我发现它使用 dlsym ,经过一些更多的逆向工程后,我发现了这个:
Looked into it and it doesnt link against IOSurface. I did however find that it uses dlsym, and after some more reverse engineering, I found this:
/System/Library/Frameworks/IOKit.framework/IOKit
IOServiceGetMatchingServices
IOServiceGetMatchingService
IOServiceMatching
IOMasterPort
IOIteratorNext
IORegistryEntryCreateCFProperty
IOObjectRelease
/System/Library/Frameworks/UIKit.framework/UIKit
UIGetScreenImage
/System/Library/PrivateFrameworks/IOMobileFramebuffer.framework/IOMobileFramebuffer
IOMobileFramebufferOpen
IOMobileFramebufferGetLayerDefaultSurface
/System/Library/PrivateFrameworks/IOSurface.framework/IOSurface
IOSurfaceAcceleratorCreate
IOSurfaceAcceleratorTransferSurface
IOSurfaceLock
IOSurfaceUnlock
IOSurfaceGetWidth
IOSurfaceGetHeight
IOSurfaceCreate
IOSurfaceGetBaseAddress
所以,正如你在这里看到的,在每个框架路径之后是字符串的符号它动态地从每个框架加载。这是为了避免在链接私有框架时遇到麻烦。由于它是在运行时加载的,因此静态分析器无法判断此应用程序是否使用它,从而逃避检测。
So, as you see here, after each framework path are the strings of the symbols that it loads from each framework, dynamically. This is to avoid getting in trouble for linking against a Private Framework. Since it is loaded in at runtime, a static analyzer cannot tell that this app uses it, thereby escaping detection.
看起来我的初步怀疑是正确的;它正在使用IOSurface来隐藏沙盒限制以获得原始屏幕访问权限。它还使用 UIGetScreenImage ,我假设它是第二种生成视频的方法。它还使用了一些IOKit函数和IOMobileFramebuffer函数。看起来应用程序正在从 IOMobileFramebufferGetLayerDefaultSurface 函数中获取IOSurface。不太清楚它使用的是什么IOKit。
It does look like my initial suspicion was correct; it is using IOSurface to sneak past sandbox restrictions to have raw screen access. It also uses UIGetScreenImage, which I assume is for the second method of generating video. It also uses some IOKit functions and IOMobileFramebuffer functions. It looks like the app is grabbing an IOSurface from the IOMobileFramebufferGetLayerDefaultSurface function. Not quite sure what it uses IOKit for though.
总之,这个应用程序使用了一些偷偷摸摸的技术来避免静态分析器的检测:它没有链接到私有框架而是动态地抓取符号。它使用IOSurface和IOMobileFramebuffer的组合来录制视频,或者使用 UIGetScreenImage 作为其他模式。这是一个棘手的应用程序将从AppStore中取出,所以如果你想要它,你最好现在就得到它。
In conclusion, this app uses some sneaky techniques to avoid detection by static analyzers: it doesn't link against the private frameworks but instead grabs the symbols dynamically. It uses a combination of IOSurface and IOMobileFramebuffer to record the video, or UIGetScreenImage for the other mode. It is a tricky app that WILL get pulled from the AppStore, so if you want it, you better get it now.
看来这个应用程序确实是从AppStore中提取的。如果你有幸在抓到之前拿到一份副本,那就太好了。我知道我很高兴我得到了它。
It appears that this app was indeed pulled from the AppStore. If you were lucky enough to grab a copy before it was pulled, that's great. I know that I'm glad I got it.
Apple可能通过声明该应用程序使用私有API并将其视为潜在的安全问题来证明其决定是合理的(当你输入iTunes密码时,一个看着你的应用就是一个例子,可怕的想法)。我想知道这是否会导致他们的审核流程发生变化,但我们可能永远不会知道。我感兴趣的一件事是,开发人员可能会使用更多技巧来隐藏他们的应用程序的静态分析行为。没有审查过程是完美的,但他们可以做得很好。即使Apple自动拒绝链接 dlsym 符号的应用,也有一些方法可用于绕过检测。
Apple probably justified its decision by stating that the app used private APIs and it could be viewed as a potential security problem (an app that watches you as you type in your iTunes password is one example, scary thought). I wonder if this will lead to a change in their reviewing process, but we will likely never know. One thing that is interesting to me is that there are still many more tricks developers could potentially use to hide their app's behavior from static analysis. No reviewing process is perfect, but they can do pretty well. Even if Apple automatically refuses apps that link against the dlsym symbol, there are methods that can be used to bypass detection.
显然,现在AppStore中还有该应用程序的另一个版本。它被称为Disp Recorder,与第一个图标具有相同的图标。 GUI看起来几乎与原始GUI相同,只有一些细微的变化。我还没有推翻新的,但我愿意打赌他们使用相同的技术来隐藏非法行为。一旦我撤销新版本,我将更新此答案。新的售价为5美元,但是如果您曾经想要在未加工设备上使用屏幕录制应用程序,则应在拉动它之前抓住它。
Apparently, there is another version of this application in the AppStore now. It is called "Disp Recorder" and has the same exact icon as the first. The GUI looks almost identical to the original one with a few minor changes. I haven't yet reversed the newer one, but I'd be willing to bet that they used the same techniques to hide the illegal behavior. I will update this answer once I reverse the new version. The new one costs $5, but if you have ever wanted a screen recording app on an unjailbroken device, you should grab it before it is pulled.
看起来我对这个应用程序的工作方式非常正确。 @coolstarorg 在GitHub上有一个开源实现,名为 RecordMyScreen 。如果你仍然想知道这个应用程序是如何工作的,我建议你去看看。
It looks as if I was very much correct with how this application works. There is an open-source implementation of this on GitHub by @coolstarorg called RecordMyScreen. If you still wonder how this app works, I suggest you go check it out.
这篇关于iOS应用程序Display Recorder如何在不使用私有API的情况下记录屏幕?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
