Inside Android Applications
By the end of 2012, the number of Smartphone shipments around the world will explode to nearly 668 million units, and the Android operating system will have a fifty percent market share. This also means an increase in the number of attacks on mobile applications and also in the investment in securing the applications from the attacks.
The most important part of performing an application pentest for an Android application is understanding the manifest configuration. Analyzing the manifest file is one of the most important and tedious tasks while performing a penetration testing assessment on the world's most popular mobile OS.
11 courses, 8+ hours of training
Android is a privilege-separated operating system, in which each application runs with a distinct system identity. At install time, Android gives each package a distinct Linux user ID. The identity remains constant for the duration of the package's life on that device. On a different device, the same package may have a different UID; what matters is that each package has a distinct UID on a given device.
Every Android application must have an AndroidManifest.xml file in its root directory. The manifest presents essential information about the application to the Android system, information the system must have before it can run any of the application's code. High-level permissions restricting access to entire components of the system or application can be applied through the AndroidManifest.xml.
The manifest file does the following:
- It describes the components like the activities, services, broadcast receivers, and content providers that the application is composed of. These declarations let the Android system know what the components are and under what conditions they can be launched.
- It determines which processes will host application components.
- It declares which permissions the application must have in order to access protected parts of the API and interact with other applications.
- It also declares the permissions that others are required to have in order to interact with the application's components.
- It declares the minimum level of the Android API that the application requires.
- It lists the libraries that the application must be linked against.
- And moreover, it names the Java package for the application. The package name serves as a unique identifier for the application.
AndroidManifest.xml file plays a very important role in analyzing the security of Android mobile applications. The file is of great interest when analyzing system security because it defines the permissions the system and applications enforce.
Android packages are .apk files. For test purposes you can download any Android application and extract it and you will see the AndroidManifest.xml file which would be difficult to open. (See below Figure1.0:
AndroidManifest.xml natively obfuscated)
Here is the step by step methodology to open and review it.
1. Download the following tools:
2. Unpack both to your Windows directory.
3. Now copy the APK file also in that directory and run the following command in your command prompt (See Figure 1.1: Decoding apk application file):
apktool d app.apk ./app_decrypted
Here app.apk is your Android APK file:
4. This will create a folder "app_decrypted" in your current directory. Inside it you can find the AndroidManifest.xml file in decrypted form and you can also find other XML files inside the "app_decrypted/res/layout" directory.
The manifest contains juicy information like permissions, intent filters, and lots more. A typical manifest file is shown below (Figure 1.2: Example of AndroidManifest.xml):
Some of the important configuration settings to look for while analyzing a manifest file:
If the internal storage is full, then the system will install it on the external storage. Once installed, the user can move the application to either internal or external storage through the system settingsUse "internalOnly" value for this setting.android:protectionLevelCharacterizes the potential risk implied in the permission and indicates the procedure the system should follow when determining whether or not to grant the permission to an application requesting it.Check if the value is set to "normal" or "dangerous". If it is set to "dangerous", check the permissions.android:persistentWhether or not the application should remain running at all times — "true" if it should, and "false" if not. The default value is "false". Applications should not normally set this flag. It should be set to "false"android:restoreAnyVersionIndicates that the application is prepared to attempt a restore of any backed-up data set, even if the backup was stored by a newer version of the application than is currently installed on the device.Setting this attribute to true will permit the Backup Manager to attempt restore even when a version mismatch suggests that the data are incompatible
Analyzing the manifest file thoroughly could help a penetration tester plan and execute other attacks. After it is done successfully , the remaining testing boils down to a normal web application pentest. So next time when you download any application from Android market, just take a while to open and analyze the AndroidManifest.xml file for fun.
Learn how to secure systems with 11 courses from Infosec Skills instructor and #1 best-selling author Ted Harrington.
- Hack your system
- Establish your threat model
- Spend wisely
- And more
In this Series
- Inside Android Applications
- DevSecOps: Moving from “shift left” to “born left”
- What’s new in the OWASP Top 10 for 2023?
- DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
- Introduction to DevSecOps and its evolution and statistics
- MongoDB (part 3): How to secure data
- MongoDB (part 2): How to manage data using CRUD operations
- MongoDB (part 1): How to design a schemaless, NoSQL database
- Understanding the DevSecOps Pipeline
- API Security: How to take a layered approach to protect your data
- How to find the perfect security partner for your company
- Security gives your company a competitive advantage
- 3 major flaws of the black-box approach to security testing
- Can bug bounty programs replace dedicated security testing?
- The 7 steps of ethical hacking
- Laravel authorization best practices and tips
- Learn how to do application security right in your organization
- How to use authorization in Laravel: Gates, policies, roles and permissions
- Is your company testing security often enough?
- Authentication vs. authorization: Which one should you use, and when?
- Why your company should prioritize security vulnerabilities by severity
- There’s no such thing as “done” with application security
- Understanding hackers: The insider threat
- Understanding hackers: The 5 primary types of external attackers
- Want to improve the security of your application? Think like a hacker
- 5 problems with securing applications
- Why you should build security into your system, rather than bolt it on
- Why a skills shortage is one of the biggest security challenges for companies
- How should your company think about investing in security?
- How to carry out a watering hole attack: Examples and video walkthrough
- How cross-site scripting attacks work: Examples and video walkthrough
- How SQL injection attacks work: Examples and video walkthrough
- Securing the Kubernetes cluster
- How to run a software composition analysis tool
- How to run a SAST (static application security test): tips & tools
- How to run an interactive application security test (IAST): Tips & tools
- How to run a dynamic application security test (DAST): Tips & tools
- Introduction to Kubernetes security
- Key findings from ESG’s Modern Application Development Security report
- Microsoft’s Project OneFuzz Framework with Azure: Overview and concerns
- Software maturity models for AppSec initiatives
- Best free and open source SQL injection tools [updated 2021]
- Pysa 101: Overview of Facebook’s open-source Python code analysis tool
- Improving web application security with purple teams
- Open-source application security flaws: What you should know and how to spot them
- Android app security: Over 12,000 popular Android apps contain undocumented backdoors
- 13 common web app vulnerabilities not included in the OWASP Top 10
- Fuzzing, security testing and tips for a career in AppSec
- 14 best open-source web application vulnerability scanners [updated for 2020]
- 6 ways to address the OWASP top 10 vulnerabilities
- Ways to protect your mobile applications against hacking
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, ISC2, Cisco, Microsoft and more!
Application security
Application security
Application security
DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
Application security