Android is well known as the more problematic OS when compared to iOS. When undertaking Android mobile app security testing it helps to understand the security features of the application environment for mobile devices.

AndroidManifest.xml

The AndroidManifest.xml file controls the interaction between all top-level components (activities, broadcast receivers, and content providers) in an app. As the AndroidManifest.xml files is parsed at application install time the package and components it defines are registered with the system. This stops an installed app being replaced by another app that claims to have the same package name (unless it’s signed with the same key, this allows for app updates). Understanding the AndroidManifest.xml file is key for Android mobile app security testing.

Activities

Activities, a single screen with a user-interface, are the main building blocks of GUI apps.  An app can have multiple activities and it is possible for each activity to be started independently, potentially by a different app. These exported activities are particularly important to Android mobile app security testing since it is possible to pass intent to an activity and get into apps without authentication.

Services

Services are components that run in the background of the app without a user interface. Services run in their own process or in the context of another app’s process, e.g. downloading a file or playing music without blocking the UI. For Android mobile app security testing this allows malicious apps to use the services running on other apps, e.g. location services.

Broadcast Receiver

A BroadcastReceiver is a component that responds to systemwide events called broadcasts. These originate from the system e.g. announcing changes in network connectivity), or from a user application. In the context of mobile app security testing this would allow an attacker to do things such as send SMS messages to premium rate numbers.

Codified Security is here to help make your mobile app secure whether it’s for iOS, Android, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing in under a minute try out Codified Security Instant.