Understanding AndroidManifest.xmlΒΆ
After Decompiling apk we can get AndroidManifest.xml files. These basically contain all information related to application Configuration such as which components are used, which permissions are there etc.
Let's start from package details, package="com.example.app"
we might think what to do with package name but later on while doing testing it will much helpful. package name is basically different from app name which is used by system to analyze operations. while we looking into the app we found that /data/data/com.example.app
this is the directory where most of the data stored by the app.
Next is API Information,
there is bit confusion in Sdk Version and Android version both are different for example sdk version of android 4.4 (kitkat) is 19. so what does API information exactly tell us minSdkVersion
is specifies that below than Sdk 19 it will not support and maxSdkVersion
is above 22 it will not gonna support and targetSdkVersion
is the app is build for and compatible for that particular version.
After that there are flags in file which are the most important part in security perspective
As shown above first flag is Backup which is true and the app is allow to take backup it may automatic or manually. The security risk here is that attacker can backup the app with sensitive information like credit card, user, password etc. and also restore it on his app and that become threat to user integrity.
Second one is the debuggable mode is true which it should not be. Now if it is true attacker can able to execute some runtime code injection, gather plenty information because of staging environment. That's why it is important to set false and avoid security risk.
Whatever the permissions app is using is mandatory to mentioned in AndroidManifest.xml file as like in above code it is requesting permission for camera which is not own by app. WRITE_EXTERNAL_STORAGE and READ_EXTERNAL_STORAGE
Writing and Reading something from External Storage indicate that there is something app is interacting with external storage so accordingly we can look into external storage that it might store some sensitive data and that data is word readable and writable so anyone can access that data and modify also.
Want to know more above permission ? Checkout Android Security Model
While declaring activity in file you can see the as mentioned above. Now dot operator helps to minimize code like com.example.app/com.example.app.activities.example
is same as com.example.app/.activities.example
While going through decompiled code you can simply look for folder com > example > app > activities > example.class
Want to know more about Activities ? Checkout Deep Dive into Activities
Same like above other components of android are declared in file.
<service>
for each subclass of Service.<receiver>
for each subclass of BroadcastReceiver.<provider>
for each subclass of Content Provider
One more thing to notice here exported="true"
what does it means ? it means that whenever app needs to access any external app or any activity need to interfere of any other app that time time is basically allow but now as it is accessible by other apps too any malicious app can do some malicious activities with app but there is condition that the permission should miss like if the developer configure permissions then it is possible to start only if the app has required permissions.
<intent-filter>
<action android:name="android.action.intent.MAIN" />
<category android:name:"android.intent.category.LAUNCHER"/>
<intent-filter>
Want to know more about Intent & Intent Filters ? Checkout Intent & Intent Filters
To start any component such as activity, service or delivering broadcast we must need intent when there is explicit intent everything know what to do next but when don't know which app is choose to do specific action cause there are lots of choices to do like share feature you have multiple options so at that time there is implicit intent implemented and when implicit intent use intent filters are there as mentioned in above code.
Activity that is declared under an intent filter is by default exported.