Of Stack

AndroidManifest. xml Security Problem Detailed Explanation of Cover

  • 2021-11-24 03:00:08
  • OfStack

0x00 About AndroidManifest. xml

AndroidManifest. xml is a required file in every android program. Located at the root of the entire project, the Manifest file provides basic information about the application to the Android system, which the system must have to run any application code. In other words, APP is running on the Android system. Since it is necessary to run on it, information must be provided to Android System, and this information exists in AndroidManifest. AndroidManifest.xml Stored in the directory app/src/main/. After decompiling the APK file, its file exists in garbled format, which needs to be converted to view normally.

Main functions of AndroidManifest. xml

Name the application Java package, and the package name is the only 1 identifier of the application; Describes the components of the application, including Activity, Service, Broadcast, Receiver, and Content, Provider; It also names the classes that implement each component and publish its functionality, such as the messages that Intent can handle. These declarations inform the components of the Android system and the conditions under which they can be started; Decide which processes hosts application; Declares what permissions this App has. It declares the permissions that an application must have to access the protected portion of API and interact with other applications. It also declares the permissions that others need to interact with the components of the application; 5. It lists the classes that Instrumentation provides profiling and other information when the application is running. These declarations exist only when the application is under development and are removed before the application is released; 6. It declares the minimum level of Android API required by the application; 7. It lists the libraries that the application must link to. 

<?xml version="1.0" encoding="utf-8" standalone="no"?><manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.mwr.example.sieve">
 <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/>
 <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
 <uses-permission android:name="android.permission.INTERNET"/>
 <permission android:label="Allows reading of the Key in Sieve" android:name="com.mwr.example.sieve.READ_KEYS" android:protectionLevel="dangerous"/>
 <permission android:label="Allows editing of the Key in Sieve" android:name="com.mwr.example.sieve.WRITE_KEYS" android:protectionLevel="dangerous"/>
 <application android:allowBackup="true" android:debuggable="true" android:icon="@drawable/ic_launcher" android:label="@string/app_name" android:theme="@style/AppTheme">
 <activity android:clearTaskOnLaunch="true" android:excludeFromRecents="true" android:exported="true" android:finishOnTaskLaunch="true" android:label="@string/title_activity_file_select" android:name=".FileSelectActivity"/>
 <activity android:excludeFromRecents="true" android:label="@string/app_name" android:launchMode="singleTask" android:name=".MainLoginActivity" android:windowSoftInputMode="adjustResize|stateVisible">
 <intent-filter>
 <action android:name="android.intent.action.MAIN"/>
 <category android:name="android.intent.category.LAUNCHER"/>
 </intent-filter>
 </activity>
 <activity android:clearTaskOnLaunch="true" android:excludeFromRecents="true" android:exported="true" android:finishOnTaskLaunch="true" android:label="@string/title_activity_pwlist" android:name=".PWList"/>
 <activity android:clearTaskOnLaunch="true" android:excludeFromRecents="true" android:finishOnTaskLaunch="true" android:label="@string/title_activity_settings" android:name=".SettingsActivity"/>
 <activity android:clearTaskOnLaunch="true" android:excludeFromRecents="true" android:finishOnTaskLaunch="true" android:label="@string/title_activity_add_entry" android:name=".AddEntryActivity"/>
 <activity android:clearTaskOnLaunch="true" android:excludeFromRecents="true" android:finishOnTaskLaunch="true" android:label="@string/title_activity_short_login" android:name=".ShortLoginActivity"/>
 <activity android:clearTaskOnLaunch="true" android:excludeFromRecents="true" android:finishOnTaskLaunch="true" android:label="@string/title_activity_welcome" android:name=".WelcomeActivity"/>
 <activity android:clearTaskOnLaunch="true" android:excludeFromRecents="true" android:finishOnTaskLaunch="true" android:label="@string/title_activity_pin" android:name=".PINActivity"/>
 <service android:exported="true" android:name=".AuthService" android:process=":remote"/>
 <service android:exported="true" android:name=".CryptoService" android:process=":remote"/>
 <provider android:authorities="com.mwr.example.sieve.DBContentProvider" android:exported="true" android:multiprocess="true" android:name=".DBContentProvider">
 <path-permission android:path="/Keys" android:readPermission="com.mwr.example.sieve.READ_KEYS" android:writePermission="com.mwr.example.sieve.WRITE_KEYS"/>
 </provider>
 <provider android:authorities="com.mwr.example.sieve.FileBackupProvider" android:exported="true" android:multiprocess="true" android:name=".FileBackupProvider"/>
 </application>
</manifest>

Analysis of risk points of 0x01 AndroidManifest. xml

1. allowBackup Setting Risk

Android API Level 8 (Android 2.1) and above provide backup and recovery functionality for application data, which is switched on and off by the allowBackup property value in the AndroidManifest. xml file in the application, which defaults to true. When the property value of allowBackup is not displayed and set to false, attackers can backup and restore application data through adb backup and adb restore, which may obtain sensitive information of users stored in plaintext.

android:allowBackup=["true" | "false"] 


$ adb backup -nosystem -noshared -apk -f com.example.demo
$ adb restore com.example.demo
-nosystem means no backup of system applications -noshared means that the data stored in SD is not backed up -apk represents the backup application APK installation package -f represents the path and name of the. ab file to be backed up, and finally the packageName of the application to be backed up restore is to restore backup data

2. debuggable Setting Risk

This property is used to specify whether the application can be debugged, even when running in user mode on the device, if set to true, it can be debugged; However, the default debuggable property value is false in Android versions, so it is recommended to use the default configuration.

android:debuggable=["true" | "false"]

3. Component export risk

4 major components

Activity Broadcast Receive Service Content Provider

Exportable components can be arbitrarily called by the third party APP, resulting in sensitive information leakage, and may be used for authentication bypass, malicious code injection, sql injection, denial of service and other attacks;

Default value of exported in Activity

When there is no intent filter, the default is false When intent filter is available, it defaults to true

The intent filter tag represents the main Activity, and each APP will have one main Activity, so when the applied Activity is unnecessary to export, or the intent filter tag is configured, it is recommended to display the setting android: exported = "false". If the component must be exported to other applications, it is recommended to control the permission of the component.

The default values for Broadcast, Receive and Service are the same as 1 for Activity.

Default value of exported in Content Provider

When minSdkVersion or targetSdkVersion is less than 16, the default is false when true is greater than 17

4. Customize permission risks

In the security model of the Android system, applications are not allowed by default to do anything that adversely affects other applications, systems, or users. If the application needs to perform some operation, it needs to declare the corresponding permission to use this operation, that is, add it in the AndroidManifest. xml file < uses-permission > Tag, of course, you can also customize your own permission. However, if the authority control is improper, it may lead to various security problems such as ultra vires. 


<uses-permission android:name="android.permission.INTERNET"/>
<permission android:label="Allows reading of the Key in Sieve" android:name="com.mwr.example.sieve.READ_KEYS" android:protectionLevel="dangerous"/>
android:protectionLevel=["normal" | "dangerous" | "signature" | "signatureOrSystem"]
normal: This is the lowest risk permission. If the application declares this permission, the system directly defaults that the application has this permission, and will not prompt the user who installed the application for authorization; dangerous: The system will prompt the user when installing the application of this permission declaration, but all APP can access and share this permission; signature: This privilege level is called Advanced privilege or System privilege. It will only be authorized if the application that sent the request and the application that received the request use the same 1 signature file and declare the privilege. It is the default privilege and will not prompt the user for authorization signatureOrSystem: This permission should be avoided as much as possible and biased towards the system level

0x02 AndroidManifest. xml structure 


<?xmlversion="1.0"encoding="utf-8"?>
 
<manifest>
 <application>
 <activity>
 <intent-filter>
 <action/>
 <category/>
 </intent-filter>
 </activity>
 <activity-alias>
 <intent-filter></intent-filter>
 <meta-data/>
 </activity-alias>
 <service>
 <intent-filter></intent-filter>
 <meta-data/>
 </service>
 <receiver>
 <intent-filter></intent-filter>
 <meta-data/>
 </receiver>
 <provider>
 <grant-uri-permission/>
 <meta-data/>
 </provider>
 <uses-library/>
 </application>
 <uses-permission/>
 <permission/>
 <permission-tree/>
 <permission-group/>
 <instrumentation/>
 <uses-sdk/>
 <uses-configuration/>
 <uses-feature/>
 <supports-screens/>
</manifest>

0x03 AndroidManifest. xml section introduction

1. manifest 


<manifest xmlns:android="http://schemas.android.com/apk/res/android"
 package="com.woody.test"
 android:sharedUserId="string"
 android:sharedUserLabel="string resource"
 android:versionCode="integer"
 android:versionName="string"
 android:installLocation=["auto" | "internalOnly" | "preferExternal"] >
</manifest>

2. application 


<application android:allowClearUserData=["true" | "false"]
 android:allowTaskReparenting=["true" | "false"]
 android:backupAgent="string"
 android:debuggable=["true" | "false"]
 android:description="string resource"
 android:enabled=["true" | "false"]
 android:hasCode=["true" | "false"]
 android:icon="drawable resource"
 android:killAfterRestore=["true" | "false"]
 android:label="string resource"
 android:manageSpaceActivity="string"
 android:name="string"
 android:permission="string"
 android:persistent=["true" | "false"]
 android:process="string"
 android:restoreAnyVersion=["true" | "false"]
 android:taskAffinity="string"
 android:theme="resource or theme" >
</application>

3. activity 


<activity android:allowTaskReparenting=["true" | "false"]
 android:alwaysRetainTaskState=["true" | "false"]
 android:clearTaskOnLaunch=["true" | "false"]
 android:configChanges=["mcc", "mnc", "locale",
   "touchscreen", "keyboard", "keyboardHidden",
   "navigation", "orientation", "screenLayout",
   "fontScale", "uiMode"]
 android:enabled=["true" | "false"]
 android:excludeFromRecents=["true" | "false"]
 android:exported=["true" | "false"]
 android:finishOnTaskLaunch=["true" | "false"]
 android:icon="drawable resource"
 android:label="string resource"
 android:launchMode=["multiple" | "singleTop" |
  "singleTask" | "singleInstance"]
 android:multiprocess=["true" | "false"]
 android:name="string"
 android:noHistory=["true" | "false"]
 android:permission="string"
 android:process="string"
 android:screenOrientation=["unspecified" | "user" | "behind" |
   "landscape" | "portrait" |
   "sensor" | "nosensor"]
 android:stateNotNeeded=["true" | "false"]
 android:taskAffinity="string"
 android:theme="resource or theme"
 android:windowSoftInputMode=["stateUnspecified",
   "stateUnchanged", "stateHidden",
   "stateAlwaysHidden", "stateVisible",
   "stateAlwaysVisible", "adjustUnspecified",
   "adjustResize", "adjustPan"] > 
</activity>

4. intent-filter 


<intent-filter android:icon="drawable resource"
 android:label="string resource"
 android:priority="integer" >
<action />
<category />
<data />
</intent-filter>

5. meta-data 


<meta-data android:name="string"
  android:resource="resource specification"
  android:value="string"/>

6. activity-alias 


<activity-alias android:enabled=["true" | "false"]
  android:exported=["true" | "false"]
  android:icon="drawable resource"
  android:label="string resource"
  android:name="string"
  android:permission="string"
  android:targetActivity="string">
 
<intent-filter/>
<meta-data/>
</activity-alias>

7. service 


$ adb backup -nosystem -noshared -apk -f com.example.demo
$ adb restore com.example.demo
0

8. receiver

9. provider 


$ adb backup -nosystem -noshared -apk -f com.example.demo
$ adb restore com.example.demo
1

10, uses-library 11, supports-screens 


$ adb backup -nosystem -noshared -apk -f com.example.demo
$ adb restore com.example.demo
2

12, uses-configuration and uses-feature 


<uses-configuration android:reqFiveWayNav=["true" | "false"]
   android:reqHardKeyboard=["true" | "false"]
   android:reqKeyboardType=["undefined" | "nokeys" | "qwerty" | "twelvekey"]
   android:reqNavigation=["undefined" | "nonav" | "dpad" | "trackball" | "wheel"]
   android:reqTouchScreen=["undefined" | "notouch" | "stylus" | "finger"] />
 
<uses-feature android:glEsVersion="integer"
  android:name="string"
  android:required=["true" | "false"] />

13. uses-sdk 


$ adb backup -nosystem -noshared -apk -f com.example.demo
$ adb restore com.example.demo
4

14. instrumentation 


$ adb backup -nosystem -noshared -apk -f com.example.demo
$ adb restore com.example.demo
5

15, < permission > , < uses-permission > , < permission-tree / > , < permission-group / > Difference

The most commonly used is <uses-permission>, When we need to obtain a certain permission, we must declare it in our manifest file. This <uses-permission> And < application > Same class, please see here for specific permission list

Normally we don't need to declare a permission for our application unless you provide code or data for other applications to call. This is when you need to use it < permission > This label. Obviously, this tag allows us to declare our permissions. For example: 


$ adb backup -nosystem -noshared -apk -f com.example.demo
$ adb restore com.example.demo
6

Then you can declare the custom permission in activity, such as: 


$ adb backup -nosystem -noshared -apk -f com.example.demo
$ adb restore com.example.demo
7

Of course, the permission declared by yourself can't be used at will, but it still needs to be used <uses-permission> To declare that you need this permission <permission-group> Is to declare a tag that represents a set of permissions, and <permission-tree> Is to declare an namespace for a set of permissions. These two tags can be seen in previous series articles.

Related articles: