Android Application Fundamentals

Android apps are written in the Java programming language. The Android SDK tools compile your code—along with any data and resource files—into an APK: an Android package, which is an archive file with an .apk suffix. One APK file contains all the contents of an Android app and is the file that Android-powered devices use to install the app.

An APK file is an Archive that usually contains the following directories:

  • AndroidManifest.xml: The AndroidManifest.xml file is the control file that tells the system what to do with all the top-level components (specifically activities, services, broadcast receivers, and content providers described below) in an application. This also specifies which permissions are required. This file may be in Android binary XML that can be converted into human-readable plaintext XML with tools such as android-apktool, or Androguard which we will cover in the upcoming post.

  • META-INF directory:

    • MANIFEST.MF: the Manifest File
    • CERT.RSA: The certificate of the application.
    • CERT.SF: The list of resources and SHA-1 digest of the corresponding lines in the MANIFEST.MF file.
  • lib: the directory containing the compiled code that is specific to a software layer of a processor, the directory is split into more directories within it:

    • armeabi: compiled code for all ARM based processors only
    • armeabi-v7a: compiled code for all ARMv7 and above based processors only
    • x86: compiled code for X86
    • mips: compiled code for MIPS processors only
  • res: the directory containing resources not compiled into resources.arsc (see below).

  • assets: a directory containing applications assets, which can be retrieved by AssetManager.

  • classes.dex: The classes compiled in the dex file format understandable by the Dalvik virtual machine

  • resources.arsc: a file containing precompiled resources, such as binary XML for example.

App components are the essential building blocks of an Android app. Each component is a different point through which the system can enter your app. Not all components are actual entry points for the user and some depend on each other, but each one exists as its own entity and plays a specific role—each one is a unique building block that helps define your app’s overall behavior. You can skip the content given below if you are already familiar with them.There are following four components of app:-

Content Provider

  • Content Provider component supplies data from one application to others on request.

  • You can store the data in the file system, an SQLite database, on the web, or any other persistent storage location your app can access.

  • Through the content provider, other apps can query or even modify the data (if the content provider allows it).

  • Content Provider is useful in cases when an app want to share data with another app.

  • It is much similar like databases and has four methods.

    • insert()
    • update()
    • delete()
    • query()

Activity

To be simple an activity represents a single screen with a user interface. For Example,one activity for Login and another activity after login has been successful. It is kind of every new screen I will discuss more about it later when needed.

Services

  • A service is a component that runs in the background to perform long-running operations or to perform work for remote processes.
  • A service does not provide a user interface,neither component, such as an activity, can start the service and let it run or bind to it in order to interact with it.
  • For example, a service might play music in the background while the user is in a different application, or it might fetch data over the network without blocking user interaction with an activity.

Broadcast Receiver

  • A broadcast receiver is a component that responds to system-wide broadcast announcements.
  • Many broadcasts originate from the system—for example, a broadcast announcing that the screen has turned off, the battery is low, or a picture was captured.
  • Apps can also initiate broadcasts—for example, to let other apps know that some data has been downloaded to the device and is available for them to use.
  • Although broadcast receivers don’t display a user interface, they may create a status bar notification to alert the user when a broadcast event occurs.
  • More commonly, though, a broadcast receiver is just a “gateway” to other components and is intended to do a very minimal amount of work. For instance, it might initiate a service to perform some work based on the event.
  • An application may register a receiver for the low battery message for example, and change its behavior based on that information.

Activating Components

  • Three of the four component types—activities, services, and broadcast receivers—are activated by an asynchronous message called an intent.
  • Intents bind individual components to each other at runtime (you can think of them as the messengers that request an action from other components), whether the component belongs to your app or to other.
  • In the upcoming post we will be using Drozer which uses Intents to showcase the vulnerabilities.

Application Security Features by Android Operating System

Android Permission Model

By default there are some Protected API’s in the Android Opertating System which can only be accessed by Operating System. The Protected APIs include

  • Camera functions
  • Location data (GPS)
  • Bluetooth functions
  • Telephony functions
  • SMS/MMS functions
  • Network/data connections

If a particular application needs access to any of the API then it need to mention that permission in AndroidManifest.xml file. You might have observed that when installing a particular application from Google Play Store it ask for several permissions needed,if you don’t allow then app won’t install. If that user agrees to grant those permissions then Android operating system gives access to that Protected API.

Below is the Permission Dialog while installing famous Subway Surfer Game.
[图片上传失败...(image-f4ff0b-1555466519483)]

Did you ever thought ? why this game needs access to your Photos, Browsing History, User Accounts,Bookmarks,etc? Probably not but you should.

Application Signing

  • Android requires that all apps be digitally signed with a certificate before they can be installed. Android uses this certificate to identify the author of an app.
  • To run application on the device ,it should be signed.When application is installed on to an device then package manager verifies that whether the application has been properly signed with the certificate in the apk file or not.
  • Application can be self signed or can be signed through CA.
  • Application signing ensures that one application can’t access any other application except through well-defined IPC and also that it is passed unmodified to the device.

Application Verification

  • Android 4.2 and later support application verification. Users can choose to enable “Verify Apps” and have applications evaluated by an application verifier prior to installation.
  • App verification can alert the user if they try to install an app that might be harmful; if an application is especially bad, it can block installation.

Android Sandbox

Once installed on a device, each Android app lives in its own security sandbox: – The Android operating system is a multi-user Linux system in which each app is a different user.

  • By default, the system assigns each app a unique Linux user ID (the ID is used only by the system and is unknown to the app). The system sets permissions for all the files in an app so that only the user ID assigned to that app can access them.

  • Each process has its own virtual machine (VM), so an app’s code runs in isolation from other apps.

  • By default, every app runs in its own Linux process. Android starts the process when any of the app’s components need to be executed, then shuts down the process when it’s no longer needed or when the system must recover memory for other apps.

In this way, the Android system implements the principle of least privilege, that is each app by default has access only to the components that it requires to do its work and no more. This creates a very secure environment in which an app cannot access parts of the system for which it is not having permission. As every Android app runs in its own sandbox environment and cannot affect other apps by default but two apps can have same Linux User ID and can also share the same Dalvik VM if they are signed with the same Certificates.

最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 204,053评论 6 478
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 85,527评论 2 381
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 150,779评论 0 337
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 54,685评论 1 276
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 63,699评论 5 366
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 48,609评论 1 281
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 37,989评论 3 396
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 36,654评论 0 258
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 40,890评论 1 298
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 35,634评论 2 321
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 37,716评论 1 330
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 33,394评论 4 319
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 38,976评论 3 307
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 29,950评论 0 19
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 31,191评论 1 260
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 44,849评论 2 349
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 42,458评论 2 342