Every project in Android has a manifest file called AndroidManifest.xml , which is stored in the root directory. The manifest file is an important part of our application as it defines the structure and metadata of the application. Android Manifest file can be obtained by extracting the APK or you can use APKtool for extracting the manifest file.
In an application module there are different components. In security aspect we need to check the following components:-
1. Backup Mode Enabled
This mode enables data backup but this can be vulnerable as the attacker can backup the data and steal sensitive data from the application. To prevent this kind of attack backup mode should be set as false.
2. Debug Mode
This mode defines if the application is debuggable or not. If this mode is enabled then attacker can harvest plenty of information. When the application is not in the execution stage the debug mode can be set as true but when it comes to the final stage it should be set as false. It is one of the the critical vulnerability which can lead to information disclosure of an application.
To use any data, software or hardware the application needs to have permission to get access to it. For e.g if an application needs device camera then it needs to have permission to access it. The developer must mention the permission to use camera, GPS or any other device’s software or application which is not owned by it.
User and App Permission
This defines system permissions which the user must allow to run the application. The user allows the permission when the application is installed or while running the application.
Application permission is used to safeguard the privacy of the user. Android apps must ask for permissions before accessing sensitive data such as camera, GPS, SMS, Contacts etc.
Permission allowance of any kind of application is specified in the manifest file.
In this section you will see various permissions that are assigned to an application. If you go under app settings you will see certain permissions assigned to an app which you can enable according to the requirement to set the app by default. Once this is done then the app will not ask for any of the permissions.
As a security professional we need to look for permissions which can be dangerous such as the following:
This is used to write data to external storage.
This is used to read the application logs.
3. READ_ONLY or WRITE_ONLY
This is used for permission for content providers.
There are four application components:
3. Content Provider
4. Broadcast Receiver
These components can be private or public. The exported attribute of each component is specified in the manifest file which defines weather the component is public or private.
If the component is public then it can be exported to other applications but if it is private then it is not accessible by other applications and this kind of option should be revised for other components also otherwise sensitive information may get accessed from other applications.
So these are some of the ways to analyze the manifest file. To automate the process for static analysis you can use tools such as MobSF, Qark. You can also follow MAST standard and OWASP Framework when going for manual approach.