Skip to main content

Android Security Model

Android security is built on two layers:
  • The OS, which keeps installed applications isolated from one another via UID separation and sandboxing
  • The application itself, which allows developers to expose certain functionalities and configure capabilities
Each application is assigned a unique User ID at install time and can only access files owned by that UID or shared files. From Android 5.0, SELinux is enforced, denying all process interactions except those explicitly allowed by policy.Two apps can share a UID by defining the same android:sharedUserId in their manifests — but if one is compromised, both apps’ data is at risk.
Permissions are declared in AndroidManifest.xml via uses-permission elements. The four protection levels are:
  • Normal — granted automatically, no user prompt
  • Dangerous — requires explicit user approval
  • Signature — only granted to apps signed by the same certificate
  • SignatureOrSystem — signature or system-level access
An APK is essentially a ZIP file containing:
  • AndroidManifest.xml — component declarations and permissions
  • classes.dex — Dalvik bytecode (compiled Java/Kotlin)
  • lib/ — native libraries per CPU architecture (armeabi-v7a, arm64-v8a, x86)
  • assets/ — miscellaneous files (sometimes used to hide extra DEX files)
  • res/ — resources not compiled into resources.arsc
  • META-INF/ — certificate and signature data

ADB — Android Debug Bridge

ADB is the primary tool for communicating with Android devices (physical or emulated). 
# List packages
adb shell pm list packages

# Get the path of an installed APK
adb shell pm path com.android.insecurebankv2

# Pull the APK
adb pull /data/app/com.android.insecurebankv2-Jnf8pNgwy3QA_U5f-n_4jQ==/base.apk

# Merge split APKs using APKEditor
mkdir splits
adb shell pm path com.android.insecurebankv2 | cut -d ':' -f 2 | xargs -n1 -i adb pull {} splits
java -jar APKEditor.jar m -i splits/ -o merged.apk

# Sign the merged APK
java -jar uber-apk-signer.jar -a merged.apk --allowResign -o merged_signed

Static Analysis

APK Decompilers

jadx

Best-in-class decompiler with GUI and CLI. jadx app.apk decompiles to Java; jadx-gui opens the GUI.

Bytecode-Viewer

Analyze APKs using multiple decompilers simultaneously for cross-verification.

GDA

Windows-only tool with extensive reverse engineering features for Android apps.

frida-DEXdump

Dumps DEX from a running application — bypasses static obfuscation that’s stripped at runtime.

Manifest Analysis

Key vulnerabilities to look for in AndroidManifest.xml:
  • Debuggable apps (debuggable="true") allow connections that can lead to exploitation
  • Backup settingsandroid:allowBackup="false" should be explicit for sensitive apps
  • Network Security Config — check for cleartextTrafficPermitted="true"
  • Exported Activities/Services/Providers — may allow unauthorized access
  • SDK versionsminSdkVersion below 21 supports vulnerable Android versions

Looking for Sensitive Information

# Extract strings from APK
strings classes.dex | grep -i "password\|api_key\|secret\|token"

# Use apkleaks to find secrets
apkleaks -f app.apk

# Check for Firebase URLs
strings classes.dex | grep "firebaseio.com"

Tapjacking

Tapjacking places a malicious transparent overlay above a victim app, causing the user to interact with the victim app unknowingly. Test for FLAG_SECURE window protection and proper touch filtering.

Insecure Data Storage

Files stored internally are app-private by default, but MODE_WORLD_READABLE and MODE_WORLD_WRITABLE can expose them to other apps.Check files at /data/data/<packagename>/shared_prefs/ and /data/data/<packagename>/databases/.

Broken TLS

// Dangerous pattern — accepts all certificates
SSLSocketFactory sf = new cc(trustStore);
sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
Test by capturing traffic with Burp without authorizing Burp’s CA on the device.

Dynamic Analysis

A rooted device (physical or emulated) is strongly recommended. Magisk on Pixel devices provides the best compatibility with Frida.

Emulators

  • Android Studio AVD — supports x86 images with ARM library translation
  • Genymotion — free personal edition; supports Frida and Drozer
  • Online: Appetize.io for quick APK testing with ADB access

Unintended Data Leakage

# Monitor application logs
adb logcat | grep -i <package_name>
# Or use pidcat for cleaner output
pidcat com.example.app
Also check:
  • Clipboard caching — sensitive fields should disable copy/paste
  • Crash logs — avoid logging sensitive info; check /data/data/<package>/
  • SQLite databases — enumerate with .tables and .schema <table>

Exploiting Exported Components

# Start exported activity
adb shell am start -n com.example.demo/com.example.test.MainActivity

# Trigger deep link
adb shell am start -a android.intent.action.VIEW \
  -d "myscheme://host/path?redirect=https://attacker.tld"

# Send broadcast
adb shell am broadcast -a com.example.action.CUSTOM

SSL Pinning Bypass

1

Static Detection

Use SSLPinDetect to identify pinning implementations before runtime:
python sslpindetect.py -f app.apk -a apktool.jar -v
2

Automatic Bypass with Objection

objection --gadget com.package.app explore \
  --startup-command "android sslpinning disable"
3

APK Patching

# Use apk-mitm to automatically patch SSL pinning
apk-mitm app.apk
4

iptables Forwarding

If traffic is still missing, forward to Burp using iptables rules.

Frida Instrumentation

# Install Frida server
adb push frida-server /data/local/tmp/
adb shell chmod 755 /data/local/tmp/frida-server
adb shell /data/local/tmp/frida-server &

# List processes
frida-ps -Uai

# Hook with a script
frida -U -f com.example.app -l bypass.js --no-pause

Dump Memory with Fridump3

frida-ps -Uai
python3 fridump3.py -u "AppName"
strings * | grep -E "^[a-z]+ [a-z]+ [a-z]+"

Automated Analysis Tools

MobSF

Mobile Security Framework. Static + dynamic analysis via Docker:
docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

Drozer

Assumes the role of an Android app to interact with other apps via IPC — exploits exported activities, services, and content providers.

QARK

LinkedIn’s static analyzer. Finds exported activities, intent issues, tapjacking, and generates PoC APKs.
qark --apk path/to/my.apk

mariana-trench

Facebook’s static analysis tool that tracks data flows from sources to dangerous sinks.

AIDL / Binder Service Enumeration

# List all Binder services
service list

# Ping a service (transaction code 0x5f4e5446)
service call mtkconnmetrics 1

# Brute-force transaction codes
for i in $(seq 1 50); do
  printf "[+] %2d -> " $i
  service call mtkconnmetrics $i 2>/dev/null | head -1
done
Decompile the implementing class and look for Stub.onTransact() to map transaction codes to method names. Absence of permission checks (enforceCallingPermission, checkCallingOrSelfPermission) is a vulnerability indicator.

Intent Injection

Proxy components that accept Intents and pass them to startActivity() or sendBroadcast() without validation can be abused. A notable vector is WebView converting URLs to Intents via Intent.parseUri(...) and executing them — potentially enabling:
  • Triggering non-exported app components
  • Accessing sensitive Content Providers
  • Open-redirect style attacks analogous to web applications

References

Build docs developers (and LLMs) love

Get started for freeTalk to us