Join the DZone community and get the full member experience.
Join For Free
In this series of articles, we are going to learn about Android application security. Before beginning into the security aspects of Android Apps, below are a few reasons to learn about Android AppSec as an Android developer, as a regular user of Android phones, or security engineer/analyst.
The global smartphone landscape has evolved significantly over the past decade. With Android holding around 70% of the market share globally and iOS capturing the rest, mobile devices have become essential in our daily lives. Here are some notable trends and statistics:
The average user has between 60 and 90 apps installed, though they typically use around 30 regularly. Popular apps include essentials like messaging, social media, and streaming services.
At its core, the operating system is known as the Android Open Source Project (AOSP)[6] and is free and open-source software (FOSS) primarily licensed under the Apache License.
Google acquired Android in 2005 and open-sourced it. Then a lot of manufacturers started using it. Android is based on the Linux Kernel. Mobile devices have a dependency on battery, network, and screen size. Realtime users will expect similar performance of desktop/laptop on mobile devices as well. By keeping all these in mind, Android OS changed several key features.
From a simple mobile OS to a platform driving smartphones, tablets, wearables, and smart devices, Android's evolution has been marked by continuous innovation, user-focused features, and a broad ecosystem that spans the globe. With its open-source nature and strong support from both Google and hardware manufacturers, Android remains at the forefront of mobile technology.
All the changes/details are out of scope for this series. We will concentrate on Android applications and their security aspects.
The structure of the series is going to be:
Mostly the series going to be similar, based on how the outcome is coming for each article. Will split/merge the topics. There are several free/paid courses available on the internet. This one is going to be beginner-friendly. Let's go!
The Android Platform Architecture is layered to manage hardware interactions indirectly, providing both efficiency and security. At the foundation is the Linux Kernel, which ensures hardware resources are managed securely. However, hardware communication for components like Audio, Bluetooth, USB, Camera, and WiFi doesn't happen directly with the kernel. Instead, it flows through multiple layers, each adding abstraction, as follows:
The Linux kernel is the base of the Android OS, managing core system services like memory, process management, networking, and security.
It also includes drivers for device hardware, abstracting the details of hardware interaction and providing interfaces for higher-level components.
The HAL serves as an intermediary, allowing the Android system to interact with device hardware without knowing hardware specifics.
For each hardware type (such as Bluetooth or WiFi), there's a corresponding HAL module, enabling Android's high-level APIs to perform operations regardless of device manufacturer specifics.
Android Runtime is where Android applications run. Each app operates on its own instance, providing isolation, security, and optimized performance.
Android includes a set of core libraries written in C/C++ that handle essential functions such as graphics rendering, media playback, and database management.
The Java API Framework is the core of Android app development. It provides high-level services and is organized into components like:
System apps provide essential functionality and include apps like the dialer, SMS, and email client. These interact with the Java API Framework and provide standardized features users expect from Android devices.
This layered architecture ensures:
We now understand the Android Platform Architecture a little bit (it's not required to understand in depth). However, we need to understand the Android Application Architecture in detail. Then it is easy to secure the application.
We use Android Studio to develop Android applications as a primary IDE. Android Studio bundles all the required information into an APK file. APK file is a simple ZIP file that contains several Android application-related files.
An example of a file command on an APK file is below:
It's a JAR file similar to any Java application. We can rename it as a ZIP and extract the contents of the APK file easily.
There are several image and XML files. However, the source code of the Android application will be bundled and packed as a DEX file. We can find that as well in this extraction as the file.
As we discussed earlier, the Android application was developed by keeping the mobile device in mind. This DEX file is constructed in a way that helps the mobile devices compared to the JAR file. We will discuss more about this in the "Reverse Engineering of Android Application" post.
This is the overall structure of the Android application. However, Android applications will have different components that are crucial in interacting with users and performing different tasks.
Android apps are built on a structured architecture that consists of layers and components designed to handle UI, data, and business logic separately. This organized structure helps ensure the application is secure, maintainable, and performant.
These components interact through a well-defined Android Component Lifecycle, which helps manage resources and enhances security, especially around permissions and access control.
Next, we will create a simple "Hello, World!" Android application with the help of Android Studio.
We can use any IDE to create Android Applications, but Android Studio is the recommended one since it has all the required tools to develop, build, bundle, compile, and package the code into a proper release application.
Use this URL to download the required package that matches your OS.
After installation, you can open the Android Studio to get started to create your first app.
It will take a few minutes to build and pull the required info. Once everything is loaded, you can click on the "Run" button in the menu to push your app onto the device/emulator. In the screenshot below, we can see the "Hello, World!" app installed on the emulator.
There is a complete tutorial from Android to get started with Android development. You can start learning from it more, but it's better to do a few levels in that course so you get some understanding of Android development which is going to help in security as well.
This installed application will be in the /data/app/ folder of the Android device/emulator. Usually, Android OS will keep restrictions for accessing. But with rooting, we can access the files on the device.
Below is the location of our app on the device:
Let's understand what's going on here: When installing any application, Android OS will create a folder in the /data/app/ directory with Base64 value to avoid any collisions. To find our app, we can search all the folders with our app name or quick .
Let's pull our Hello World app and see what's inside. Extract the contents from the APK file.
Even though we didn't write a single line of code manually while creating this app, we see a bunch of files and code.
It's all handled by Android Studio which does the magic.
Reverse engineering of the Android application is easy compared to the iOS application. But if an Android app uses any obfuscation methods (converting human-readable code to a non-readable format, but machines can understand it), it's not easy to understand what's going on in the code.
Let's consider there are no obfuscation methods used similar to our basic "Hello, World!" app. Then there are several tools available to get the original code back.
The detailed build process has several steps and is out of scope for this series. But it's good to have a high level of understanding. This diagram shows the compilation process.
You can directly install these tools with or follow the steps listed on the websites.
Going forward, we use several tools for testing/analyzing the apps. Tool installation steps won't be available in these posts.
Jadx-gui provides an easy way of accessing the code by just opening the APK file. The below screenshot provides an overview of our "Hello, World!" app.