<?xml version="1.0" encoding="utf-8" standalone="no"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
<!-- The package name, which is the unique identifier for the app in the Android ecosystem. -->
package="com.example.app"
<!-- The version of the Android SDK used to compile the app. -->
android:compileSdkVersion="34"
<!-- The codename for the compile SDK version (e.g., "14" for Android 14). -->
android:compileSdkVersionCodename="14"
<!-- The internal version code of the platform used to build the app. -->
platformBuildVersionCode="34"
<!-- The version name of the platform used to build the app, corresponding to the codename of the Android version. -->
platformBuildVersionName="14">
<!-- Permissions required by the app -->
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
<!-- Declaring minimum and target SDK versions -->
<uses-sdk android:minSdkVersion="29" android:targetSdkVersion="34" />
<!-- Declaring features required by the app -->
<uses-feature android:name="android.hardware.camera" android:required="true" />
<uses-feature android:name="android.hardware.location.gps" android:required="false" />
<!-- Main application block -->
<application
android:allowBackup="true"
android:icon="@mipmap/ic_launcher"
android:label="@string/app_name"
android:networkSecurityConfig="@xml/network_security_config"
android:theme="@style/AppTheme">
<!-- Main launcher activity -->
<activity android:name=".MainActivity">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
<!-- Another activity with an intent filter -->
<activity android:name=".DeepLinkActivity"
android:exported="true">
<intent-filter>
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<data android:scheme="https" android:host="www.example.com" android:pathPrefix="/deeplink" />
</intent-filter>
</activity>
<!-- Service example -->
<service android:name=".MyService"
android:enabled="true"
android:exported="false">
</service>
<!-- Broadcast receiver example -->
<receiver android:name=".MyBroadcastReceiver"
android:exported="true">
<intent-filter>
<action android:name="android.intent.action.BOOT_COMPLETED" />
</intent-filter>
</receiver>
<!-- Content provider example -->
<provider
android:name=".MyContentProvider"
android:authorities="com.example.app.provider"
android:enabled="true"
android:exported="true" />
<!-- Meta-data example -->
<meta-data
android:name="com.google.android.geo.API_KEY"
android:value="your_google_maps_api_key_here" />
</application>
</manifest>
aapt utility
Dump all permissions
aapt dump permissions app.apk
Dump all strings
aapt dump strings app.apk
Dump all intent-filters
NOTE: Make you sure file AndroidManifest.xml is in the same directory as you execute aapt when dump data from any AndroidManifest.xml.
aapt dump xmltree app.apk AndroidManifest.xml | grep -A 4 "intent-filter"
Tip: Use grep command to find interesting strings like passwords, leaked tokens, URLs and endpoints, IP addresses, etc...
Getting the APK / APKS directly from the Google Play Store
Download the App from the Google Play Store
List the users present on the Android Device
adb shell 'pm list users'
List the path/s for the APK / APKs (i.e.: base.apk, split_config.arm64_v8a.apk, etc...)
adb shell 'pm list packages --user 0 | grep <package-name>'
Pull the APK / APKs from the Android Device through ADB shell with the following commands:
- "adb devices":
- "Show connected devices"
- "adb root":
- "Get a root shell - Works only on certain images. Example: LineageOS."
- "adb reboot bootloader":
- "Reboot the device into the boot loader mode"
- "adb shell install -r":
- "Install a new package (overwrite existing one)"
- "adb push <local> <remote>":
- "Upload a file from the laptop to the phone"
- "adb pull <remote> <local>":
- "Download a file from the phone to the laptop"
- "adb shell dumpsys iphonesybinfo":
- "Get the IMEI"
- "adb get-serialno":
- "Serial number of the device"
- "adb shell pm list features":
- "List the features of the smartphone"
- "adb shell screencap -p \"/Path/To/Save/Image.png\"":
- "Take a screenshot"
- "adb shell screen record \"/Path/CaptureRecord.mp4\"":
- "Capture a video of the device screen"
- "adb shell am start -W -c android.intent.category.HOME -a android.intent.action.MAIN":
- "Simulating pressing the Home Button"
- "adb shell am start|startservice|broadcast <INTENT>":
- "Start an Intent / service / broadcast receiver"
- "adb logcat":
- "System log information"
- "adb bugreport":
- "Dump the whole device information like dumpstate, dumpsys and logcat output. Important to get the Bluetooth Low Energy log!"
- "adb backup":
- "Backup all applications that have the 'backup=true' in their Manifest.xml"
- "fastboot devices":
- "List available devices in fastboot mode"
- "adb shell pm reset-permissions -p your.app.package":
- "Resets all the permissions of an app"
- "adb shell pm path <package name>":
- "Shows the path to the APK which can be downloaded (see adb pull) even without root permissions."
- "adb input touch <x> <y>":
- "Perform a touch event at the given coordinates"
DEX Files
Use dex2jar to convert .dex files in .jar files.
d2j-dex2jar classes.dex -o classes.jar
Then analyze it with Jadx-gui
Using Nuclei to automate the proccess of finding endpoints and hidden information
Extract APK with APKtool
apktool d app.apk -o app_output_directory
Run Nuclei and find secrets keys and vulnerabilities
