# Android

* Android is built using open-source **Linux Kernel**.
* **Dalvik Virtual Machine (DVM)** provides a platform for running Android apps.
* **Android Run Time (ART)** is modern translation layer from the application's bytecode to device instructions.
* Android apps are written in either Java or Kotlin.

## Main Components

* **Applications**
  * Represents top layer of Android Architecture.
  * Includes pre-installed apps like Home, Contacts, Camera, Gallary, etc.
  * It runs within Android Runtime with the help of classes and services implemented by the application framework.
* **Application Framework**
  * Provides several classes used to create apps.
  * Provides a generic abstraction for hardware access and manages the UI with app resources.
  * Includes services like Activity Manager, Notification Manager, View System, Package Manager, etc.
  * **Content Providers** 
    * A way of sharing data to other applications via a specific directory (if exported)
      * content://\<app-URI>/directory
  * **View System**
    * Utilized for making the App's UI and normalizing it.
  * **Managers**
    * Notifications, Telephony, Package, Location, etc.
* **Application Runtime**
  * Contains components like core libraries and DVM.
  * DVM is optimized for Android to ensure device can run multiple instances efficiently.
* **Platform Libraries:**
  * Includes C/C++ core libraries and Jave based libraries for various functionalities.
  * Media, SGL/OpenGL for graphics, SQLite for database, Web-Kit for web content loading, SSL for secure transmission, etc.
* **Linux Kernel**:
  * Manages all avaibled drivers required during runtime such as Camera, Bluetooth, Audio, Memory, etc.
  * Responsible for Security, Memory Management, Process Management, Network Stack, Driver Model.

## APK File

* **AndroidManifest.xml**
  * Contains information about application including it's package name, version, required permissions, and components such as activities, services, and broadcast receivers.
    * minSDKVersion, Permissions, Activities, Content Providers
    * Look for activities that have "exported=true", which means that it can be accessed without authentication.
      * Copy the exported activity name and access it from ADB

```
adb shell

# Start Activity
am start b3mac.appname/.b123Activity
```

* **Classes.dex**
  * Contains compiled Java bytecode for application's classes which are executed by Android Runtime (ART)
* **Resources.arsc**
  * Contains compiled resources such as strings, images, and layouts used by app.
* **lib/**
  * Folder contains compiled native code libs for specific device architecture such as ARM or x86.
  * Look for strings/information inside the .so shared object library files.
* **META-INF/**
  * Folder contains manifest file, certificate of APK signature, and list of all the files in the APK along with their checksums
* **Assests/**
  * Folder contains additional app data files such as sound and video that are not compiled into the APK.
* **res/**: Folder contains the app resources such as layouts, strings, and images in their original format before being compiled into Resources.arsc file.
  * Look for Hardcoded secrets in the resources/values/strings.xml
    * Strings: API, Key, SQL, password, pass, AWS, http, firebase, secret, etc.
* **Android System Files:**
  * Folder Contains system level files such as Android Runtime, framework libraries, and system components that the app may use. &#x20;

## Android Application Security

* Every Android app can be reverse engineered, rebuilt, re-signed, and re-run
* This means that an attacker can modify application functionality.
* JADX-GUI or ApkTool can be used to obtain the source code.
* Developers
  * Jave/Kotlin -> DEX Bytecode
* Reverse Engineers
  * DEX Bytecode -> SMALI -> Decompiled Java

<figure><img src="/files/8tb5tHimZxxDLOaq6DrU" alt=""><figcaption></figcaption></figure>

## Application Signing

* To ensure an application's integrity, we use Public-Key cryptography.
* Three methods of verifying signatures:
  * APK Signature scheme v1, v2, v3.
  * Google implemented Google Play signing which adds unique signatures to the apps.
  * keytool, jarsigner, zipalign

<figure><img src="/files/trTeXKlzZhoNgAyuRHlS" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://playbook.sidthoviti.com/mobile-pentesting/android.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.