Android is one among the most popular mobile Operating system of the present day. Every day numerous applications are getting added to the Application market. But these applications are not scrutinized to expose the security flaws posed by them. This in turn is increasing the security threats an android phone faces due the applications installed in it.
This article intends to explain briefly the components of an application and different tools and methods to analyze an application.
In Android, each application runs in the context of its own user. Hence each application has its own UID and GID. An exception is in the case where shared UIDs are used. So Android basically uses a kind of UNIX sandboxing method to run its applications. By this, application resource isolation is achieved. ie, each application gets its own area of file system where it can write its own private data.
Snapshot showing applications running under different users
If application 1 tries to access data of application 2, this will be explicitly denied because of the UNIX permissions. One exception to this is when an application 2 writes its data using world readable flag, by which application 1 would be able to read application 2’s data.
Application 1 cannot access data of Application 2 because of Application Sandboxing
All the configuration parameters and the security parameters of an application are defined in a file called AndroidManifest.xml. This file is particularly important when we consider communication across sandbox. Android application uses IPC mechanisms to communicate across these sandboxes. In the AndroidManifest.xml file, programmer specifies which endpoints that one wants to export or not.
Components of an Android Application
The components of an Android Application are
It is the visual element of an application. This is what we see when we open that particular application.
They are the background workers. They provide no user interface. They are usually used to perform long running tasks.
3. Broadcast Receivers
This is used to get notified of the system and application events. This works as an event driven nature, for example, if one wants to get notified when a message is sent, or when the screen is turned on, he can use these Broadcast Receivers.
4. Content Providers
It is the data store house of an application. It is similar to SQL database. It consists of methods that are similar to SQL queries.
Before the Android system can start an application component, the system must know that the component exists by reading the application’s AndroidManifest.xml file (the “manifest” file). Your application must declare all its components in this file, which must be at the root of the application project directory.
The manifest does a number of things in addition to declaring the application’s components, such as:
- Identify any user permissions the application requires, such as Internet access or read access to the user’s contacts.
- Declare the minimum API Level required by the application, based on which APIs the application uses.
- Declare hardware and software features used or required by the application, such as a camera, bluetooth services, or a multitouch screen.
- API libraries the application needs to be linked against (other than the Android framework APIs), such as the Google Maps library.
The primary task of the manifest is to inform the system about the application’s components.
In the <application> element, the android:icon attribute points to resources for an icon that identifies the application.
In the <activity> element, the android:name attribute specifies the fully qualified class name of the Activity subclass and the android:label attributes specifies a string to use as the user-visible label for the activity.
You must declare all application components this way:
- <activity> elements for activities
- <service> elements for services
- <receiver> elements for broadcast receivers
- <provider> elements for content providers
Activities, services, and content providers that you include in your source but do not declare in the manifest are not visible to the system and, consequently, can never run. However, broadcast receivers can be either declared in the manifest or created dynamically in code (as BroadcastReceiver objects) and registered with the system by calling registerReceiver()