By the end of 2012, the number of Smartphone shipments around the world will explode to nearly 668 million units, and the Android operating system will have a fifty percent market share. This also means an increase in the number of attacks on mobile applications and also in the investment in securing the applications from the attacks.

The most important part of performing an application pentest for an Android application is understanding the manifest configuration. Analyzing the manifest file is one of the most important and tedious tasks while performing  a penetration testing assessment on the world’s most popular mobile OS.

Android is a privilege-separated operating system, in which each application runs with a distinct system identity. At install time, Android gives each package a distinct Linux user ID. The identity remains constant for the duration of the package’s life on that device. On a different device, the same package may have a different UID; what matters is that each package has a distinct UID on a given device.

Every Android application must have an AndroidManifest.xml file in its root directory. The manifest presents essential information about the application to the Android system, information the system must have before it can run any of the application’s code. High-level permissions restricting access to entire components of the system or application can be applied through the AndroidManifest.xml.

The manifest file does the following:

  • It describes the components like the activities, services, broadcast receivers, and content providers that the application is composed of. These declarations let the Android system know what the components are and under what conditions they can be launched.
  • It determines which processes will host application components.
  • It declares which permissions the application must have in order to access protected parts of the API and interact with other applications.
  • It also declares the permissions that others are required to have in order to interact with the application’s components.
  • It declares the minimum level of the Android API that the application requires.
  • It lists the libraries that the application must be linked against.
  • And moreover, it names the Java package for the application. The package name serves as a unique identifier for the application.

AndroidManifest.xml file plays a very important role in analyzing the security of Android mobile applications. The file is of great interest when analyzing system security because it defines the permissions the system and applications enforce.

Android packages are .apk files. For test purposes you can download any Android application and extract it and you will see the AndroidManifest.xml file which would be difficult to open. (See below Figure1.0:
AndroidManifest.xml natively obfuscated)


Here is the step by step methodology to open and review it.

1. Download the following tools:

2. Unpack both to your Windows directory.

3. Now copy the APK file also in that directory and run the following command in your command prompt (See Figure 1.1: Decoding apk application file):

apktool d app.apk ./app_decrypted

Here app.apk is your Android APK file:


Want to learn more?? The InfoSec Institute Web Application Penetration Testing Boot Camp focuses on preparing you for the real world of Web App Pen Testing through extensive lab exercises, thought provoking lectures led by an expert instructor. We review of the entire body of knowledge as it pertains to web application pen testing through a high-energy seminar approach.

The Web Application Penetration Testing course from InfoSec Institute is a totally hands-on learning experience. From the first day to the last day, you will learn the ins and outs of Web App Pen Testing by attending thought provoking lectures led by an expert instructor. Every lecture is directly followed up by a comprehensive lab exercise (we also set up and provide lab workstations so you don't waste valuable class time installing tools and apps). Benefits to you are:

  • Get CWAPT Certified
  • Learn the Secrets of Web App Pen Testing in a totally hands-on classroom environment
  • Learn how to exploit and defend real-world web apps: not just silly sample code
  • Complete the 83 Step "Web App Pen Test Methodology", and bring a copy back to work with you
  • Learn how perform OWASP Top 10 Assessments: for PCI DSS compliance

4. This will create a folder “app_decrypted” in your current directory. Inside it you can find the AndroidManifest.xml file in decrypted form and you can also find other XML files inside the “app_decrypted/res/layout” directory.

The manifest contains juicy information like permissions, intent filters, and lots more. A typical manifest file is shown below (Figure 1.2: Example of AndroidManifest.xml):


Some of the important configuration settings to look for while analyzing a manifest file:

Setting What to check Recommendations
android:installLocation If it is set to “auto”, the application may be installed on the external storage, but the system will install the application on the internal storage by default.If the internal storage is full, then the system will install it on the external storage. Once installed, the user can move the application to either internal or external storage through the system settings Use “internalOnly” value for this setting.
android:protectionLevel Characterizes the potential risk implied in the permission and indicates the procedure the system should follow when determining whether or not to grant the permission to an application requesting it. Check if the value is set to “normal” or “dangerous”. If it is set to “dangerous”, check the permissions.
android:persistent Whether or not the application should remain running at all times — “true” if it should, and “false” if not. The default value is “false”. Applications should not normally set this flag. It should be set to “false”
android:restoreAnyVersion Indicates that the application is prepared to attempt a restore of any backed-up data set, even if the backup was stored by a newer version of the application than is currently installed on the device. Setting this attribute to true will permit the Backup Manager to attempt restore even when a version mismatch suggests that the data are incompatible

 

If the internal storage is full, then the system will install it on the external storage. Once installed, the user can move the application to either internal or external storage through the system settingsUse “internalOnly” value for this setting.android:protectionLevelCharacterizes the potential risk implied in the permission and indicates the procedure the system should follow when determining whether or not to grant the permission to an application requesting it.Check if the value is set to “normal” or “dangerous”. If it is set to “dangerous”, check the permissions.android:persistentWhether or not the application should remain running at all times — “true” if it should, and “false” if not. The default value is “false”. Applications should not normally set this flag. It should be set to “false”android:restoreAnyVersionIndicates that the application is prepared to attempt a restore of any backed-up data set, even if the backup was stored by a newer version of the application than is currently installed on the device.Setting this attribute to true will permit the Backup Manager to attempt restore even when a version mismatch suggests that the data are incompatible

Analyzing the manifest file thoroughly could help a penetration tester plan and execute other attacks. After it is done successfully , the remaining testing boils down to a normal web application pentest. So next time when you download any application from Android market, just take a while to open and analyze the AndroidManifest.xml file for fun.