SoFunction
Updated on 2025-04-07

Detailed explanation of safety issues containing covers

0x00 About

It is a required file in every Android program. It is located in the root of the entire project, and the Manifest file provides basic information about the application to the Android system, which the system must have in order to run the code for any application. In other words, the APP runs on the Android system. Since it is to run on it, it must provide information to the Android System, and this information is present in AndroidManifest. Store in the app/src/main/ directory. After decompiling the APK file, its file exists in a garbled format and needs to be converted to view it normally.

Main functions

  1. Name the application Java package, the package name is the unique identifier of the application;
  2. Describes the components of the application, including the Activity, Service, Broadcast Receiver, and Content Provider that make up the application; it also names the classes that implement each component and publish its functions, such as messages that Intent can handle. These statements inform the components of the Android system and their conditions that can be started;
  3. Decide which processes host application;
  4. Declare what permissions this app has, it states the permissions that the app must have in order to access protected parts of the API and interact with other applications. It also declares the permissions that others need in order to interact with the components of the application; 5. It lists classes in which Instrumentation provides profiling and other information while the application is running. These declarations only exist when the application is in development and are removed before the application is published; 6. It declares the lowest level of Android API required by the application; 7. It lists the libraries that the application must link to.
<?xml version="1.0" encoding="utf-8" standalone="no"?><manifest xmlns:andro package="">
 <uses-permission android:name=".READ_EXTERNAL_STORAGE"/>
 <uses-permission android:name=".WRITE_EXTERNAL_STORAGE"/>
 <uses-permission android:name=""/>
 <permission android:label="Allows reading of the Key in Sieve" android:name=".READ_KEYS" android:protectionLevel="dangerous"/>
 <permission android:label="Allows editing of the Key in Sieve" android:name=".WRITE_KEYS" android:protectionLevel="dangerous"/>
 <application android:allowBackup="true" android:debuggable="true" android:icon="@drawable/ic_launcher" android:label="@string/app_name" android:theme="@style/AppTheme">
 <activity android:clearTaskOnLaunch="true" android:excludeFromRecents="true" android:exported="true" android:finishOnTaskLaunch="true" android:label="@string/title_activity_file_select" android:name=".FileSelectActivity"/>
 <activity android:excludeFromRecents="true" android:label="@string/app_name" android:launchMode="singleTask" android:name=".MainLoginActivity" android:windowSoftInputMode="adjustResize|stateVisible">
 <intent-filter>
 <action android:name=""/>
 <category android:name=""/>
 </intent-filter>
 </activity>
 <activity android:clearTaskOnLaunch="true" android:excludeFromRecents="true" android:exported="true" android:finishOnTaskLaunch="true" android:label="@string/title_activity_pwlist" android:name=".PWList"/>
 <activity android:clearTaskOnLaunch="true" android:excludeFromRecents="true" android:finishOnTaskLaunch="true" android:label="@string/title_activity_settings" android:name=".SettingsActivity"/>
 <activity android:clearTaskOnLaunch="true" android:excludeFromRecents="true" android:finishOnTaskLaunch="true" android:label="@string/title_activity_add_entry" android:name=".AddEntryActivity"/>
 <activity android:clearTaskOnLaunch="true" android:excludeFromRecents="true" android:finishOnTaskLaunch="true" android:label="@string/title_activity_short_login" android:name=".ShortLoginActivity"/>
 <activity android:clearTaskOnLaunch="true" android:excludeFromRecents="true" android:finishOnTaskLaunch="true" android:label="@string/title_activity_welcome" android:name=".WelcomeActivity"/>
 <activity android:clearTaskOnLaunch="true" android:excludeFromRecents="true" android:finishOnTaskLaunch="true" android:label="@string/title_activity_pin" android:name=".PINActivity"/>
 <service android:exported="true" android:name=".AuthService" android:process=":remote"/>
 <service android:exported="true" android:name=".CryptoService" android:process=":remote"/>
 <provider android:authorities="" android:exported="true" android:multiprocess="true" android:name=".DBContentProvider">
 <path-permission android:path="/Keys" android:readPermission=".READ_KEYS" android:writePermission=".WRITE_KEYS"/>
 </provider>
 <provider android:authorities="" android:exported="true" android:multiprocess="true" android:name=".FileBackupProvider"/>
 </application>
</manifest>

0x01 Risk Point Analysis

1. AllowBackup setting risk

Android API Level 8 (Android 2.1) and above Android systems provide backup and recovery functions for application data. The switch of this function depends on the allowBackup attribute value in the file in the application, and its attribute value is true by default. When the property value of allowBackup is not displayed to false, an attacker can backup and restore the application data through adb backup and adb restore, thus obtaining sensitive information of users stored in plaintext.

android:allowBackup=["true" | "false"]

$ adb backup -nosystem -noshared -apk -f 
$ adb restore
  • -nosystem means no backup system application
  • -noshared means not backing up data stored in the SD of the application
  • -apk means backup application APK installation package
  • -f represents the backup .ab file path and file name, and finally the packageName of the application to be backed up.
  • Restore is to restore backup data

2. Debuggable setting risk

This property is used to specify whether the application can be debugged. Even when running on the device in user mode, if set to true, it can be debugged. However, the default attribute value of debuggable is false in Android versions, so it is recommended to use the default configuration.

android:debuggable=["true" | "false"]

3. Component export risk

Four major components

  • Activity
  • Broadcast Receive
  • Service
  • Content Provider

Exportable components can be called arbitrarily by third-party APPs, resulting in the leakage of sensitive information and may be used to bypass authentication, malicious code injection, SQL injection, denial of service and other attacks;

The default value of exported in Activity

  • When there is no intent filter, the default is false
  • When there is an intent filter, the default is true

The intent filter tag represents the main activity, and each APP will have a main activity. Therefore, when the application's Activity is not necessary to be exported, or the intent filter tag is configured, it is recommended to display android:exported="false". If the component must be exported to other applications, it is recommended to control the component permissions.

The default values ​​of Broadcast Receive and Service are the same as those of Activity.

The default value of exported in Content Provider

When minSdkVersion or targetSdkVersion is less than 16, the default is true when it is greater than 17, the default is false.

4. Custom permission risk

In the Android system security model, applications cannot perform any operations that negatively affect other applications, systems, or users by default. If the application needs to perform certain operations, it needs to declare the permissions corresponding to using this operation, that is, add the <uses-permission> tag to the file. Of course, you can also customize your own permission. However, if the permission control is improper, it may lead to various security issues such as overreach of authority.

<uses-permission android:name=""/>
<permission android:label="Allows reading of the Key in Sieve" android:name=".READ_KEYS" android:protectionLevel="dangerous"/>
android:protectionLevel=["normal" | "dangerous" | "signature" | "signatureOrSystem"]
  1. normal: This is the minimum risk permission. If the application declares this permission, the system directly defaults that the application has this permission, and the user who installs the application will not be prompted to authorize it;
  2. dangerous: The system will prompt the user when installing an application with such permission declaration, but all APPs can access and share this permission;
  3. signature: This permission level is called advanced permission or system permission. It will only be authorized if the application sending the request and the application receiving the request use the same signature file and declared the permission. It is the default authorization and will not prompt the user to authorize it.
  4. signatureOrSystem: This permission should be avoided as much as possible and is biased towards the system level

0x02 Structure

<?xmlversion="1.0"encoding="utf-8"?>
 
<manifest>
 <application>
 <activity>
 <intent-filter>
 <action/>
 <category/>
 </intent-filter>
 </activity>
 <activity-alias>
 <intent-filter></intent-filter>
 <meta-data/>
 </activity-alias>
 <service>
 <intent-filter></intent-filter>
 <meta-data/>
 </service>
 <receiver>
 <intent-filter></intent-filter>
 <meta-data/>
 </receiver>
 <provider>
 <grant-uri-permission/>
 <meta-data/>
 </provider>
 <uses-library/>
 </application>
 <uses-permission/>
 <permission/>
 <permission-tree/>
 <permission-group/>
 <instrumentation/>
 <uses-sdk/>
 <uses-configuration/>
 <uses-feature/>
 <supports-screens/>
</manifest>

0x03 Section Introduction

1、manifest 

<manifest xmlns:andro
 package=""
 android:sharedUserId="string"
 android:sharedUserLabel="string resource"
 android:versionCode="integer"
 android:versionName="string"
 android:installLocation=["auto" | "internalOnly" | "preferExternal"] >
</manifest>

2、application

<application android:allowClearUserData=["true" | "false"]
 android:allowTaskReparenting=["true" | "false"]
 android:backupAgent="string"
 android:debuggable=["true" | "false"]
 android:description="string resource"
 android:enabled=["true" | "false"]
 android:hasCode=["true" | "false"]
 android:icon="drawable resource"
 android:killAfterRestore=["true" | "false"]
 android:label="string resource"
 android:manageSpaceActivity="string"
 android:name="string"
 android:permission="string"
 android:persistent=["true" | "false"]
 android:process="string"
 android:restoreAnyVersion=["true" | "false"]
 android:taskAffinity="string"
 android:theme="resource or theme" >
</application>

3、activity

<activity android:allowTaskReparenting=["true" | "false"]
 android:alwaysRetainTaskState=["true" | "false"]
 android:clearTaskOnLaunch=["true" | "false"]
 android:configChanges=["mcc", "mnc", "locale",
   "touchscreen", "keyboard", "keyboardHidden",
   "navigation", "orientation", "screenLayout",
   "fontScale", "uiMode"]
 android:enabled=["true" | "false"]
 android:excludeFromRecents=["true" | "false"]
 android:exported=["true" | "false"]
 android:finishOnTaskLaunch=["true" | "false"]
 android:icon="drawable resource"
 android:label="string resource"
 android:launchMode=["multiple" | "singleTop" |
  "singleTask" | "singleInstance"]
 android:multiprocess=["true" | "false"]
 android:name="string"
 android:noHistory=["true" | "false"]
 android:permission="string"
 android:process="string"
 android:screenOrientation=["unspecified" | "user" | "behind" |
   "landscape" | "portrait" |
   "sensor" | "nosensor"]
 android:stateNotNeeded=["true" | "false"]
 android:taskAffinity="string"
 android:theme="resource or theme"
 android:windowSoftInputMode=["stateUnspecified",
   "stateUnchanged", "stateHidden",
   "stateAlwaysHidden", "stateVisible",
   "stateAlwaysVisible", "adjustUnspecified",
   "adjustResize", "adjustPan"] > 
</activity>

4、intent-filter

<intent-filter android:icon="drawable resource"
 android:label="string resource"
 android:priority="integer" >
<action />
<category />
<data />
</intent-filter>

5、meta-data

<meta-data android:name="string"
  android:resource="resource specification"
  android:value="string"/>

6、activity-alias

<activity-alias android:enabled=["true" | "false"]
  android:exported=["true" | "false"]
  android:icon="drawable resource"
  android:label="string resource"
  android:name="string"
  android:permission="string"
  android:targetActivity="string">
 
<intent-filter/>
<meta-data/>
</activity-alias>

7、service

<service android:enabled=["true" | "false"]
android:exported[="true" | "false"]
android:icon="drawable resource"
android:label="string resource"
android:name="string"
android:permission="string"
android:process="string">
</service>

8、receiver

9、provider

<provider android:authorities="list"
android:enabled=["true" | "false"]
android:exported=["true" | "false"]
android:grantUriPermissions=["true" | "false"]
android:icon="drawable resource"
android:initOrder="integer"
android:label="string resource"
android:multiprocess=["true" | "false"]
android:name="string"
android:permission="string"
android:process="string"
android:readPermission="string"
android:syncable=["true" | "false"]
android:writePermission="string">
<grant-uri-permission/>
<meta-data/>
</provider>

10、uses-library 11、supports-screens

<supports-screens android:smallScreens=["true" | "false"]
   android:normalScreens=["true" | "false"]
   android:largeScreens=["true" | "false"]
   android:anyDensity=["true" | "false"] />

12. uses-configuration and uses-feature

<uses-configuration android:reqFiveWayNav=["true" | "false"]
   android:reqHardKeyboard=["true" | "false"]
   android:reqKeyboardType=["undefined" | "nokeys" | "qwerty" | "twelvekey"]
   android:reqNavigation=["undefined" | "nonav" | "dpad" | "trackball" | "wheel"]
   android:reqTouchScreen=["undefined" | "notouch" | "stylus" | "finger"] />
 
<uses-feature android:glEsVersion="integer"
  android:name="string"
  android:required=["true" | "false"] />

13、uses-sdk

<uses-sdk android:minSdkVersion="integer"
  android:targetSdkVersion="integer"
  android:maxSdkVersion="integer"/>

14、instrumentation

<instrumentation android:functionalTest=["true" | "false"]
   android:handleProfiling=["true" | "false"]
   android:icon="drawable resource"
   android:label="string resource"
   android:name="string"
   android:targetPackage="string"/>

15. Differences between <permission>, <uses-permission>, <permission-tree />, <permission-group />

The most commonly used one is<uses-permission>,When we need to obtain a certain permission, we must declare it in our manifest file.<uses-permission>The same level as <application>, please see the specific permission list here

Normally, we don't need to declare a permission for our application unless you provide code or data for other applications to call. Only then do you need to use the <permission> tag. Obviously this tag allows us to declare our permissions. for example:

<permission android:name=".MY_SECURITY" . . . />

Then you can declare the custom permission in the activity, such as:

<application . . .>
 <activity android:name="XXX" . . . >
   android:permission=".MY_SECURITY"> </activity>
 </application>

Of course, the permission declared by yourself cannot be used at will, and you still need to use it<uses-permission>To declare that you need this permission<permission-group> It is to declare a tag that represents a set of permissions, and<permission-tree>is a namespace declared for a set of permissions. These two tags can be found in the previous series of articles.

This is the end of this article about the safety issues of the covers. For more related safety issues of the covers, please search for my previous articles or continue browsing the related articles below. I hope everyone will support me in the future!