Part of my presentation at this year’s Rochester Security Summit on Android security, included a reference to a tool that would help automate the process of detecting insecure app’s on Android devices. This was basically my research into how effective analyzing the AndroidManifest.xml file was at detecting insecurities in an app.
It turns out that if you think about it, there’s probably a lot of ways you can screw up an app by putting wrong values in the the manifest file. Hopefully you remember that the AndroidManifest.xml is the file included inside of all APK’s that defines what permissions the app requires along with defining some of the operating parameters. For instance, if you wanted to create a content provider, you would make something like this:
<provider android:name=".provider.DropboxProvider" android:authorities="com.dropbox.android.Dropbox"> <grant-uri-permission android:pathPrefix="/" /> </provider>
But what is that grant-uri-permission gibberish, right? In this case, it means that anything that is located in a path that starts with “/” is able to access the provider. Probably not so good if you’re storing sensitive information in it like DropBox was doing.
That’s just one example but here are some others to consider:
- Leaving debug mode enabled
- Granting incorrect read or write permissions to a service, receiver, or provider
- Setting a high intent priority (read also malware)
- Setting a hidden dialer using the “android_secret_code” feature
How effective is this:
This isn’t a complete way of analyzing an Android device by any means, but here’s a few examples where it could have helped. Do you remember the DropBox post I made a couple months ago? That flaw that was caused by incorrect permissions in the AndroidManifest.xml was a good example that’s very easy to detect.
How about the HTCLogger hub bub. Could we have detected these problems by analyzing the manifest file? No – not really. But it would have picked up the fact that it was registering a hidden dialer code so when you would dial *#*#482564#*#* a hidden menu would appear giving you access to its settings.
In summary, we’ve found that analyzing Android’s manifest file is effective to give you a summary of items that need to be reviewed, and it’s very effective when you need to analyze a large quantity of apps in a short period of time. It isn’t very good at truly performing a vulnerability scan on an app, but it will pull up some items of interest. When you’re testing a device for app’s that are insecure, there may be hundreds installed and this technique is pretty good at flagging ones that you should pay attention to and then allow you to follow up with some of the manual techniques.
Manitree: AndroidManifest.xml Device Auditing Tool
Manitree is a tool that will review an AndroidManifest.xml file, APK package, or an entire device(or devices) for insecure values in the AndroidManifest.xml file.
Usage: manitree.py -f [MANIFESTFILE | APKFILE] | -D Options: --version show program's version number and exit -h, --help show this help message and exit -f INPUTFILE path to AndroidManifest.xml or APK (e.g. /home/user/com.something.apk, ./ Device Mode Options: -D Device Mode: Perform a full test on a device -d Download from a physical device.(Device mode only) -e Download from an emulated device.(Device mode only) --path=TMPPATH Set path of where files are temporarily downloaded. (Default /tmp/AT) -u Test only user apps Output Options: -T OUTPUTTXT Save results to a text file (defaults to console) -H OUTPUTHTML Save results to HTML (defaults to console) Debug Options: -v Display verbose output -q Quiet mode -t Test mode. Check to see that environment has been setup
Device Test Mode:
Look for connected devices and download all of the APK’s for processing:
Test only the emulators:
./manitree.py -D -e
Test only user apps:
./manitree.py -D -u
Test multiple devices:
./manitree.py -D -u 1: HT12345688 2: emulator-5554 3: emulator-5556 4: emulator-5558
More than one device found.
Select which device to use or A to test all the devices: A
Individual File Mode:
If you’re already extracted the manifest file, you can review it like so:
./manitree.py -f AndroidManifest.xml
If you haven’t extracted it, you can just give it an APK and it will extract if for you:
./manitree.py -f com.intrepidusgroup.app.apk
Same idea as above but if you’ve already downloaded a large pile of APK’s, you can analyze them at once:
./manitree.py -f apks/
run a report on a previous test:
run a report on a specific device:
./reporter.py -D HTCS000001
run a report on a specific package and filter only high findings:
./reporter.py -P com.intrepidusgroup.app -r high
- Linux (soon MacOSX)
- Python 2.6+
- adb (included)
- AXMLPrinter2.jar (included)
The tool is open source and hosted on GitHub:https://github.com/antitree/manitree
You can also just download the latest tar ball from here: [download id="275"]
Published date:  21 November 2011
Written by:  mmanning