Android Fundamentals

Basics of Android

An Android app is made up several components :

  • Activity
  • Service
  • Content Provider
  • Broadcast Receivers

Activity

An activity is equivalent to one screen of an app. Common activities are login, sign up, stream, settings and on-boarding screens. Most the apps functionality is performing with activities. Most the security testing is done here. An activity has an entry in the AndroidManifest.xml file.

<activity android:label="@string/login_activity" android:name="com.peruzal.praat.LoginActivity" />

A common security vulnerability is exported activities. These are activities that can be started by the Android runtime. Any app can start an exported activity.

Service

A service runs in the background, it does not have a user interface. They are usually used for performing long running tasks in the background. A service also has an entry in the AndroidManifest.xml file :

<service android:label="@string/d1" android:name="com.peruzal.praat.ChatService" />

Content Providers

The content provider are used to make private data of an app available to other apps using a common interface. The content provider offers a CRUD(Crud Read Update Delete) interface to its data. The content providers are usually backed up with an SQLite database, which might be vulnerable to SQL Injection attacks.

A common vulnerability is exported content providers. Any app can access the content provider provided they know the url. Content provider urls start with the content:// scheme.

Content providers also have an entry in the AndroidManifest.xml:

<provider android:name="jakhar.aseem.diva.NotesProvider" android:enabled="true" android:exported="true" android:authorities="jakhar.aseem.diva.provider.notesprovider" />

Broadcast Receivers

This is the publish/subscribe mechanism on Android. Broadcast receiver are used by developer to build a decoupled app. An activity can communicate with a service by using broadcast receivers. Broadcast receivers can configured to just send and receive the broadcast within the app or globally for the whole Android system.

The Android system also sends out notifications as broadcast, e.g. battery low status, incoming phone call, sms received, connected to power and more.

apk structure

An Android app is installed from an apk package. Android apps are usually installed from the Google Play store. For device security testing you would normally install the apk manually on the device using adb.

An apk is an archive format. We can un-archive the apk by converting the file extension to .zip. On the terminal

mv file.apk file.zip

and then unzip

unzip file.zip

apk file structure

The un-archived apk contains the following files :

  • AndroidManifest.xml
  • assets
  • classes.dex
  • META-INF folder
  • lib folder
  • res folder

  • resources.arsc

  • AndroidManifest.xml, This is the glue between the application and the Android runtime. This is a configuration file, it contains config data like permissions required by the app, minimum version of Android required, the package name of the app.

  • assets, This folder contains non-compiled resources such as raw files, music, databases and video.

  • classes.dex, This file contains the intermediate code that can be run on the Dalvik runtime or Android Runtime.

  • META-INF, this folder contains the app’s certificate and the SHA1 digests.

  • resources.arsc, this file contains the compiled assets

  • res, this contains the compiled res folder.

Getting an apk

  • The Google Play store does not offer an option to download the apk but they are several website that allow you to download the apk from the Play store.
  • From the device. Using ad you can pull the apk from the device.

Android APK Storage Location

The Android system stores apk files in different places depending on whether they are installed by the user or they came pre-installed on the device. Instead of an apk file, Android also generates .odex files. These are optimized versions of the apk.

User installed apps

User installed apps are found under the /data/app directory. The apps under this folder are world-readable, anyone can copy them out from the device. No need for root user permissions. The app’s folder is found under /data/data/<package-name>.

System apps

Apps that come with the system are found under the /system/app folder. The files under this folder are worl readable and anyone can extract them from the device.

Apps with special copy protection

Apps that require special copy protection are found under the /data/app-private folder. Only users with the right permission can access the app from this folder. The root user have permission to this folder.

Extracting apk file from device

To extract an apk file from the device requires three steps :

  • Find the package name.
  • Find the path of the APK file on the device.
  • Pull it out from the device.

List installed apps

Find all the installed apps using the adb tool from the command line.

$ adb shell pm list packages

Find apk path

Use the package name from the adb shell pm list packages to find the path of the apk

$ adb shell pm path com.android.email

Extract the apk

Extract the app’s apk from the device once you know the path.

$ adb pull /system/app/Email/Email.apk

Android build process

When Java code is compiled, its compiled into the Java bytecode. The bytecode cannot run on Android, this further translated by the Android Runtime starting with Android 5.0 or with the Dalvim VM for older Android.

  • Java files ending in .java are compiled into .class. The .class is the Java bytecode.
  • The dx tool is used to convert the .class into dex, which can be run on Android.

Compiling Java source to bytecode

Lets use the following source named HackingAndroid.java filename :

public class HackingAndroid {
     public static void main(String[] args){
     System.out.println("Hacking Android");
  }
}

Compile the code

javac HackingAndroid.java

and this produces a file called HackingAndroid.class.

Run the app

java HackingAndroid

Convert the app to run on Android

Using the dx tool we can convert the bytecode into dex format thats executable on Android.

dx --dex --output=HackingAndroid.dex HackingAndroid.class

Copy the dex file to the device

adb push HackingAndroid.dex /data/local/tmp

Run the app on the device

Use adb to run the app

adb shell dalvikvm –cp /data/local/tmp/HackingAndroid.dex