Android

• Android is built using open-source Linux Kernel.

• Dalvik Virtual Machine (DVM) provides a platform for running Android apps.

• Android Run Time (ART) is modern translation layer from the application's bytecode to device instructions.

• Android apps are written in either Java or Kotlin.

Main Components

• Applications

  • Represents top layer of Android Architecture.

  • Includes pre-installed apps like Home, Contacts, Camera, Gallary, etc.

  • It runs within Android Runtime with the help of classes and services implemented by the application framework.

• Application Framework

  • Provides several classes used to create apps.

  • Provides a generic abstraction for hardware access and manages the UI with app resources.

  • Includes services like Activity Manager, Notification Manager, View System, Package Manager, etc.

  • Content Providers

    • A way of sharing data to other applications via a specific directory (if exported)

      • content://<app-URI>/directory

  • View System

    • Utilized for making the App's UI and normalizing it.

  • Managers

    • Notifications, Telephony, Package, Location, etc.

• Application Runtime

  • Contains components like core libraries and DVM.

  • DVM is optimized for Android to ensure device can run multiple instances efficiently.

• Platform Libraries:

  • Includes C/C++ core libraries and Jave based libraries for various functionalities.

  • Media, SGL/OpenGL for graphics, SQLite for database, Web-Kit for web content loading, SSL for secure transmission, etc.

• Linux Kernel:

  • Manages all avaibled drivers required during runtime such as Camera, Bluetooth, Audio, Memory, etc.

  • Responsible for Security, Memory Management, Process Management, Network Stack, Driver Model.

APK File

• AndroidManifest.xml

  • Contains information about application including it's package name, version, required permissions, and components such as activities, services, and broadcast receivers.

    • minSDKVersion, Permissions, Activities, Content Providers

    • Look for activities that have "exported=true", which means that it can be accessed without authentication.

      • Copy the exported activity name and access it from ADB

adb shell

# Start Activity
am start b3mac.appname/.b123Activity

• Classes.dex

  • Contains compiled Java bytecode for application's classes which are executed by Android Runtime (ART)

• Resources.arsc

  • Contains compiled resources such as strings, images, and layouts used by app.

• lib/

  • Folder contains compiled native code libs for specific device architecture such as ARM or x86.

  • Look for strings/information inside the .so shared object library files.

• META-INF/

  • Folder contains manifest file, certificate of APK signature, and list of all the files in the APK along with their checksums

• Assests/

  • Folder contains additional app data files such as sound and video that are not compiled into the APK.

• res/: Folder contains the app resources such as layouts, strings, and images in their original format before being compiled into Resources.arsc file.

  • Look for Hardcoded secrets in the resources/values/strings.xml

    • Strings: API, Key, SQL, password, pass, AWS, http, firebase, secret, etc.

• Android System Files:

  • Folder Contains system level files such as Android Runtime, framework libraries, and system components that the app may use.

Android Application Security

• Every Android app can be reverse engineered, rebuilt, re-signed, and re-run

• This means that an attacker can modify application functionality.

• JADX-GUI or ApkTool can be used to obtain the source code.

• Developers

  • Jave/Kotlin -> DEX Bytecode

• Reverse Engineers

  • DEX Bytecode -> SMALI -> Decompiled Java

Application Signing

• To ensure an application's integrity, we use Public-Key cryptography.

• Three methods of verifying signatures:

  • APK Signature scheme v1, v2, v3.

  • Google implemented Google Play signing which adds unique signatures to the apps.

  • keytool, jarsigner, zipalign