Saturday, 7 December 2013

Pentesting Android Applications Part 1 - Analyzing Android Permissions

Posted by srini0x00 on 05:06


Android Permission Model is one of the Core Security Features implemented by Google for Android Platform to protect end users.

When A developer develops an Android App, he must declare the permissions if the app uses any protected features of the device.

As an example, if an app wants to monitor incoming SMS or read Phone State or access internet, would specify permissions as shown in the following code snippet.

  <manifest xmlns:android=""
            package="com.permissionexample.helloworld" >
            <uses-permission android:name="android.permission.RECEIVE_SMS" />
    <uses-permission android:name="android.permission.INTERNET" />
           <uses-permission android:name="android.permission.READ_PHONE_STATE" />

It is done using a file called AndroidManifest.xml which makes use of the tag <uses-permission> as shown in Figure 1.1
Figure 1.1 AndroidManifest.xml file

Note:Components such as Intents, Services and Broadcast receivers also should be included when used to access sensitive resources.

Permissions for an End User

When a user is installing an Application, it pops a window showing the permissions being used by the app. If the user agrees and accepts it, the app will comfortably use those permissions from then and no further checks will be done while running the app. However, if an app tries to access the permissions that are not specified in the Manifest file, it will silently end up in a failure to access that specific resource or sometimes it throws a security exception.

We can see the permissions of each app installed in the Device as shown in Figure 1.3.

Goto Settings > Applications. Pick an app and scroll down to see the permissions that the app uses.

Figure 1.3

Note: If any app is using more permissions than what it needs, we may suspect it as a malicious app and further analysis is needed.

Pentesting Android Apps - Analyzing Permissions

Though it is pretty much easy for an end user to look at the permissions and decide whether he wants to accept them or not, A pentester's life wont be that easy in analyzing an app's behavior
since an app may contain Dangerous hidden services or malicious intended broadcast receivers. So it is always a good idea to have a look at the manifest file during a pentest or Malware analysis.

Here are various scenarios a pentester may come across and different techniques he needs during his pentest.

  • When Source code is available
  • When An APK is available(No source code)
  •         When APK is not available
When Source code is available:

If the source code is available, we can directly jump into the AndroidManifest.xml file and analyze the app permissions and other components being used by the app.

1. Check <uses-permission> to see if any suspicious permissions are being used in the file other than what it requires.
For example, If you are analyzing a calendar application, it really doesn't require READ_SMS permission which requires further analsis with the Code.

2. Check if there are any Broadcast receivers such as boot_completed 

<action android:name="android.intent.action.BOOT_COMPLETED"></action>

the above  code snippet broadcasts it's message when the device completes it's booting. So, it could be used to start a malicious app every time the user restarts his device.

When an APK is available:

Many techniques are there to read the permissions when an apk file is available.

Background: Android Apps contain the extension ".apk". An apk is nothing but a compressed ZIP file which consists of AndroidManifest.xml file as a part of it. We can extract it using decompression tools such as winrar, winzip or 7zip. So, when an Android APK is available, we can extract it to see the Manifest file but the text inside is not readable. So, we need to look at other ways of doing it.

Option 1: aapt

aapt(Android Asset Packaging Tool) comes by default when we install android SDK.  Android eclipse utilizes this tool to package the apk file that constitutes an Android application
This tool can be used to see the permissions of defined in an APK as shown in Figure 1.4.

Copy aapt from SDK installation location to any directory you like.
Place your apk file into the same directory as shown in Figure 1.5.
Figure 1.5

Open your command promt and navigate to the directory where you placed aapt.
Write the following command
aapt dump permissions <your app.apk>

Figure 1.6

Option 2: APK-TOOL
APK-tool is one of the most commonly used tool for android application reversing which we will discuss later in this series. In this article,we focus only
on Android permissions.

You can download apk tool from

Place apk-tool and your target app in the same directory as shown in Figure 1.7.
Figure 1.7

Open command prompt and navigate to the direcory where you placed apk-tool
Now, execute the following command
apktool d <your app.apk> output-path

Upon executing the above command, a new folder will be created with the name "output path", in my case it is "output" in the current directory. Get into that to see the newly created AndroidManifest.xml file to read.

When APK is not Available:

When an apk file is not available, though there are ways to see the permissions directly from the device, it is always a good idea to extract it to an APK and then follow the same steps as we did in scenario 2.
We can extract the app from the installed device using apps such as Apk Extractor. 


Analyzing AndroidManifest.xml file is very important during a pentest to figure out the declared permissions, intents and services in an app. We have seen various techniques to read manifest file in an app. An end user must have a keen look at the permissions before installing an app and be cautious in downloading apps from third party app stores.

Please post your comments for any queries or suggestions.

Kindly Bookmark and Share it:


Post a Comment


Recent posts

Recent Comments

Bookmark & Share