Home > Android Pentesting

Android Manifest File

The AndroidManifest.xml defines how the app behaves, what it exposes, what it protects, and what system components it interacts with. Pentesting always begins with manifest analysis because every attack surface is declared here. This chapter provides a practical, hands-on workflow focused on extracting, decoding, analyzing, and exploiting information found inside the manifest.

Extracting and Decoding the Manifest

The manifest inside the APK is in binary XML form. Decode it using apktool:

apktool d app.apk -o decoded_app

View the manifest:

cat decoded_app/AndroidManifest.xml

If you want the raw binary version:

unzip app.apk AndroidManifest.xml

Use AXMLPrinter for decoding:

java -jar AXMLPrinter2.jar AndroidManifest.xml > manifest.xml

Decoding allows you to examine exported components, permissions, and configurations that directly affect app security.

Identifying Exported Components

Exported components are the most common entry points for attacks. They allow external apps or attackers to trigger functionality inside the app.

Search for exported components:

grep -R "exported=\"true\"" -n decoded_app/AndroidManifest.xml

Check if activities are exported without permission:

grep -R "<activity" -n decoded_app/AndroidManifest.xml

Manually inspect entries like:

<activity android:name=".LoginActivity"
          android:exported="true" />

If exported and unprotected, it may allow:

  • Unauthorized access to screens

  • Bypass of authentication

  • Triggering sensitive operations

  • Intent spoofing attacks

Pentesting task:

Send a forged intent:

adb shell am start -n com.target/.LoginActivity

If it opens, the activity is exposed.

Detecting Insecure Backup Configuration

The allowBackup flag determines if app data can be backed up to ADB without authentication.

Search:

grep -R "allowBackup" -n decoded_app/AndroidManifest.xml

If:

android:allowBackup="true"

then app data might be retrievable:

adb backup -apk -shared -all -f backup.ab

Convert backup for inspection:

dd if=backup.ab bs=24 skip=1 | openssl zlib -d > backup.tar

This can reveal credentials and tokens.

Detecting Debuggable Apps

A debuggable app can be inspected, injected, or tampered with at runtime without restrictions.

Search:

grep -R "debuggable" -n decoded_app/AndroidManifest.xml

If:

android:debuggable="true"

You can attach jdwp:

adb jdwp

Or hook it using Frida easily:

frida -U -f com.target.app --no-pause

Debuggable apps have almost no runtime protection.

Inspecting Permissions Requested by the App

List permissions:

grep -R "<uses-permission" -n decoded_app/AndroidManifest.xml

Focus on dangerous permissions such as:

  • CAMERA

  • RECORD_AUDIO

  • READ_SMS

  • READ_CONTACTS

  • WRITE_EXTERNAL_STORAGE

Pentesting task:

Try requesting these permissions dynamically using Frida to check access control bypass.

Example Frida hook for permission testing:

Java.perform(function(){
    console.log("Permission Check:", 
        Java.use("android.content.pm.PackageManager")
        .PERMISSION_GRANTED);
});

High-risk permissions increase the attack surface.

Inspecting Custom Permissions

Some apps create their own permissions:

grep -R "<permission" -n decoded_app/AndroidManifest.xml

Example:

<permission android:name="com.app.internal.READ_DATA"
            android:protectionLevel="normal" />

If protectionLevel is weak, attackers can gain these permissions by declaring them in their own manifest.

Pentesting task:

Create a dummy malicious app declaring the custom permission and exploit exposed components.

Finding Intent Filters

Intent filters expose how components can be triggered.

Search:

grep -R "<intent-filter" -n decoded_app/AndroidManifest.xml

Look for schemes:

android:scheme="myapp"

Look for deep links:

<data android:host="login" android:path="/auth" />

Pentesting task:

Trigger deep link:

adb shell am start -a android.intent.action.VIEW -d "myapp://login/auth"

Misconfigured deep links allow bypassing screens or triggering private activities.

Application Flags to Inspect

Check for:

android:usesCleartextTraffic="true"

This allows plaintext HTTP.

Check for:

android:networkSecurityConfig="@xml/network_security_config"

Inspect referenced file for:

  • Debug overrides

  • Trusting user-installed certificates

  • Allowing cleartext for specific domains

Check for:

android:sharedUserId

Shared UID apps share data and permissions. Improper use allows privilege escalation between apps.

Extracting Broadcast Receivers

Search:

grep -R "<receiver" -n decoded_app/AndroidManifest.xml

If exported, test them:

adb shell am broadcast -a com.app.ACTION_TEST

Unprotected receivers allow sending arbitrary broadcasts.

Extracting Services

Search:

grep -R "<service" -n decoded_app/AndroidManifest.xml

If exported:

adb shell am startservice -n com.app/.UploadService

Services often run privileged tasks, making them high-value targets.

Extracting Content Providers

Search:

grep -R "<provider" -n decoded_app/AndroidManifest.xml

Check for readable or writable providers.

Test using:

adb shell content query --uri content://com.app.provider/data

Many apps unintentionally expose entire databases.

Full Practical Manifest Review Workflow

  1. Decode manifest via apktool

  2. Identify exported components

  3. Trigger exported components via ADB

  4. Check debuggable state and attach debugger

  5. Test backup extraction if enabled

  6. Extract permissions and test privilege boundaries

  7. Enumerate providers and query data

  8. Analyze deep links and exploit them

  9. Inspect custom permissions and check misconfigurations

  10. Map all findings to dynamic testing and exploitation

Practical Exploitation Examples

Launch hidden activity:

adb shell am start -n com.app/.SecretActivity

Trigger service:

adb shell am startservice -n com.app/.HiddenService

Trigger broadcast:

adb shell am broadcast -a com.app.ACTION_DEBUG

Read a leaking content provider:

adb shell content query --uri content://com.app.provider/users

Dump app backup:

adb backup -f out.ab com.app

Each of these actions tests real-world weaknesses defined inside the manifest.

Intel Dump

  • Decode manifest using apktool or AXMLPrinter

  • Identify exported components and test them via ADB

  • Detect insecure flags like debuggable or allowBackup

  • Extract dangerous permissions and test access control

  • Test deep links and intent filters for bypasses

  • Enumerate services, receivers, providers

  • Query providers directly for data leaks

  • Use Frida and adb to exploit misconfigurations

HOME LEARN COMMUNITY DASHBOARD