[BUG] Apps can detect if Xposed/Edxposed app is installed even if they are blacklisted

[ghost]

什么情况/What happened?

App added in black list mode of edxposed can still detect if it's installed. In an app there's the following check:

boolean isXposedAppInstalled = false;
boolean isXposedHookEnabled = false;

try {
    isXposedAppInstalled = context.getPackageManager().getApplicationInfo("de.robv.android.xposed.installer", 0).enabled;
}
catch(PackageManager.NameNotFoundException e) {
    isXposedAppInstalled = false;
}

// At this point isXposedAppInstalled should be false if the app is blacklisted, but it's true

if (isXposedAppInstalled) {
    StackTraceElement[] sTrace = new Throwable().getStackTrace();
    for (StackTraceElement element : sTrace) {
        String clzName = element.getClassName();
        if (clzName != null && (clzName.contains("de.robv.android.xposed.XposedBridge"))) {
            isXposedHookEnabled = true;
            break;
        }
    }
}

I made an application to test this code (also added to blacklist) and it can also detect edxposed app by changing the package name in the check (the detection from the stacktrace fails). Shouldn't edxposed app be undetectable to blacklisted app?

Xposed模块列表/Xposed Module List

Lucky Patcher 8.7.9 EdXposed Manager 4.5.7

Magisk模块列表/Magisk Module List

Busybox for Android NDK 1.31.1 MagiskHide Props Config 5.2.6-v92

EdXposed及Riru版本/Versions of EdXposed and Riru

EdXposed: 0.4.6.3 (4552) (SandHook)

Riru: 21.2

相关Logcat/Logcat

No logcat available

[XspeedPL]

This is the most common way of detecting Xposed as far as I know.

While repackaging the manager is doable (like Magisk or LP), obfuscation of the Bridge could be problematic, as modules depend on the exact class names.

Maybe the class loader could be modified to redirect class references to renamed Xposed components on the fly, that would be cool as heck.

[kotori2]

634