The most important part of performing an application pentest for an Android application is understanding the manifest configuration. Analyzing the manifest file is one of the most important and tedious tasks while performing a penetration testing assessment on the world’s most popular mobile OS. Android is a privilege-separated operating system, in which each application runs with a distinct system identity. At install time, Android gives each package a distinct Linux user ID. The identity remains constant for the duration of the package’s life on that device. On a different device, the same package may have a different UID; what matters is that each package has a distinct UID on a given device. Every Android application must have an AndroidManifest.xml file in its root directory. The manifest presents essential information about the application to the Android system, information the system must have before it can run any of the application’s code. High-level permissions restricting access to entire components of the system or application can be applied through the AndroidManifest.xml. The manifest file does the following:
It describes the components like the activities, services, broadcast receivers, and content providers that the application is composed of. These declarations let the Android system know what the components are and under what conditions they can be launched.
It determines which processes will host application components.
It declares which permissions the application must have in order to access protected parts of the API and interact with other applications.
It also declares the permissions that others are required to have in order to interact with the application’s components.
It declares the minimum level of the Android API that the application requires.
It lists the libraries that the application must be linked against.
And moreover, it names the Java package for the application. The package name serves as a unique identifier for the application.
AndroidManifest.xml file plays a very important role in analyzing the security of Android mobile applications. The file is of great interest when analyzing system security because it defines the permissions the system and applications enforce. Android packages are .apk files. For test purposes you can download any Android application and extract it and you will see the AndroidManifest.xml file which would be difficult to open. (See below Figure1.0: AndroidManifest.xml natively obfuscated)
Here is the step by step methodology to open and review it.
- Download the following tools:
apktool-install-windows-file
apktool-file
Unpack both to your Windows directory.
Now copy the APK file also in that directory and run the following command in your command prompt (See Figure 1.1: Decoding apk application file): apktool d app.apk ./app_decrypted Here app.apk is your Android APK file:
This will create a folder “app_decrypted” in your current directory. Inside it you can find the AndroidManifest.xml file in decrypted form and you can also find other XML files inside the “app_decrypted/res/layout” directory. The manifest contains juicy information like permissions, intent filters, and lots more. A typical manifest file is shown below (Figure 1.2: Example of AndroidManifest.xml):
Some of the important configuration settings to look for while analyzing a manifest file: If the internal storage is full, then the system will install it on the external storage. Once installed, the user can move the application to either internal or external storage through the system settingsUse “internalOnly” value for this setting.android:protectionLevelCharacterizes the potential risk implied in the permission and indicates the procedure the system should follow when determining whether or not to grant the permission to an application requesting it.Check if the value is set to “normal” or “dangerous”. If it is set to “dangerous”, check the permissions.android:persistentWhether or not the application should remain running at all times — “true” if it should, and “false” if not. The default value is “false”. Applications should not normally set this flag. It should be set to “false”android:restoreAnyVersionIndicates that the application is prepared to attempt a restore of any backed-up data set, even if the backup was stored by a newer version of the application than is currently installed on the device.Setting this attribute to true will permit the Backup Manager to attempt restore even when a version mismatch suggests that the data are incompatible Analyzing the manifest file thoroughly could help a penetration tester plan and execute other attacks. After it is done successfully , the remaining testing boils down to a normal web application pentest. So next time when you download any application from Android market, just take a while to open and analyze the AndroidManifest.xml file for fun.