Learn how to download APKs, and use Apktool to extract and decompile the manifest file from an Android application.
- [Instructor] The file Androidmanifest.xml is used to describe the functionality and requirements of an Android application and is generated as part of the build process for that Android application. This is a compiled xml binary file. And to read it, we'll use a tool called Apktool. Let's download and install the tool from the website shown here. I'll firstly right click on the wrapper script URL and download it. This downloads the Apktool batch file which makes it easy for us to call the tool.
I'll then follow the link to the Apktool too and I'll download the latest JAR file which is 2.2.0. I have to do a couple of edits to tidy up the download so that we can use them. I'll hard code the path for Apktool to Testing and change the name of the tool to match what we have. I'm in a command shell. Let's run Apktool to confirm it's working.
When doing mobile testing commercially, you'll usually be given the APK file from your customer. However, you may want to test an application from one of the Android stores and you'll need to download it. Freeware applications are best sourced from the Google Play store. But the standard install expects these to be downloaded and directly installed on an Android device. An alternative is to do the first step of a side load via the Evozi website. We can see the page has a link to visit the Play store.
We can now search for the app we want. Let's select SMS Reader. And we get a list of the relevant packages. By clicking the first one, I can see the URL. I'll copy the URL and close this tab. I can now paste the URL into the search box in the APK Downloader and generate the download link. Now immediately below the Generate box, I have the link to download the APK.
While Google Play store is the primary source of APK files, there are many other APK download sites on the web. One of them is apk-files.org. And here we see a Vodafone TXTReadr application. I'll use this to demonstrate static analysis. I've downloaded this application and for simplicity renamed it vTXT.apk. I've now got Apktool ready to go. And I've got an APK file to analyze. To disassemble the application, I call Apktool with the D command.
Apktool processes the application file and disassembles it into a directory called vTXT. Let's go and have a look at that. We can see there's some sub-directories and two files, apktool.yml and AndroidManifest.xml. Firstly, I'll look at the yml file. Okay, we can see at the bottom of the screen that we've used version 2.2.0 of the Apktool. And at the top of the screen, that the target was vTXT.apk.
The application version code is 2936 and it's version is 1.0.1. Okay, let's now look at the AndroidManifest file. I'll open this in Notepad as it's quite a large file. We can see that the Android activity is being declared starting with the MainActivity then the SettingsActivity and down to SpeechInputActivity. We can see that the application uses a number of permissions, SEND_SMS, RECEIVE_SMS, through to ACCESS_NETWORK_STATE.
You can download many Android applications to get familiar with their manifest files. Let's take a look at another example of the manifest file from an APK which I've downloaded and called ABank.apk. We can see that this manifest file has one interesting difference. The Android name entries are prefixed with the string md5. From Android version 5.1 onwards, by default the type name of an activity is based on the md5 of the full name of the type being exported.
This allows the same fully qualified name to be provided from two different assemblies and not get a packaging error. In this manifest file, we can also see an API_KEY being declared. This is fairly common. While some keys aren't particularly sensitive, some are. Between June and November 2013, security researchers discovered that developers were putting sensitive API Keys into their applications, which potentially revealed Facebook, Twitter, Bitly, Flickr, Foursquare, LinkedIn, and Google+ accounts.
Amazingly, some of these values even had names which included the word secret or private. While these specific issues have been fixed, the use of hard coded values continues to be a key one for testers to be aware of. In addition to understanding the activities and persmissions of an application, are the application clause debuggable=true and any exported activities. These are functions that can be called from other applications. In both cases, these can be misused. The manifest file then can be easily extracted and allows us to profile the application.
These methods recognized by EC Council as integral part of those looking to earn their Certified Ethical Hacker certification. The complete CEH BOK can be found at https://www.eccouncil.org/Certification/certified-ethical-hacker/CEH-What-You-Will-Learn.
- Statistic and dynamic analysis of mobile applications
- Testing on Android
- Analyzing Android applications
- Securing iOS applications
- Jailbreaking iOS for command-line access
- Analyzing iOS apps