Deny permissions requested by Android applications
Android developers sometimes knowingly or unknowingly end up requesting permissions more than necessary for their applications. This can cause potential threats to the security of your phone, because applications with extra permissions are always risky. At times you might have wondered why a simple gaming application requests for dangerous looking permissions like “Services that costs you money”, “Your personal information”, “Phone calls”, “Your location”, “Network communication”, etc. And you might even have decided against installing an application because of these scary permissions. AAVST tool will help users to deny some of the permissions that an application asks for, and still run the application.
The following screen shot depicts this. The application is popular car game available for download from Android application markets. It asks for permissions like Storage, Network communication, Phone calls, and System tools. ‘Storage’ is required for storing scores to SD card. ‘Network communication’ is required for displaying advertisements, and some extra options in the game like collect extra coins (which normally people don’t use). It also asks ‘phone calls’ permissions, which is very odd. ‘System tools’ is used to prevent system from sleeping while we are playing the game. So out of the four dangerous permissions it asks; only two are required for the application to run. So you can deny other two permissions using AAVST tool and install it on your Android device. In the screen shot, the left half shows the actual application and the right half shows the modified application using the AAVST tool.
The following screen shots represent the actual application and the modified application in runtime: upper half showing the original application, and the lower half showing the modified application. As it is clear from the screenshots, there is no problem in the working of the application. Only differences that can be seen is that in the actual application, advertisements will be there and in the modified application, instead of advertisements, an error message will come showing that there is no internet permission available for displaying the advertisement. Also there is an option in the game where you can collect some extra coins by paying money. In the modified application, this will also throw an error because we have disabled that permission. This also is safe to be made disabled especially if your kids are using your Android device.
As shown in the below screen shot, an error message will be displayed instead of the advertisement, once the application is modified. Neither the message affects the performance of the game, nor the fun it offers. The tool provides security to your device and save your bandwidth by blocking the unnecessary advertisements. By blocking the unwanted permissions, it also protects the sensitive data, thereby preventing a possible threat of any type of money loss.
The following steps explain how to deny permissions requested by Android applications using AAVST tool.
Step 1: Run the AAVST tool
From the command prompt, go to the directory where ScanAndroidApps.jar is present and execute the command ‘java –jar ScanAndroidApps.jar’.
You now should be seeing the following screen. If not go back to the previous article and get the installation and configuration of the tool correctly.
Step 2: Decompile Application
Select ‘Decompile Application option from the home page. There you can select the APK you want to decompile and the destination you want the decompiled application to be.
After decompiling, in the output directory, you can see the decompiled components like AndroidManifest.xml, its resources, source code in smali file etc. The following screenshot shows the output directory of the decompiled application. Make sure you got this.
Step 3: Static Analysis
Select ‘Static Analysis’ from the Home Page. Select the decompiled directory of the application and press scan button. Now, select the ‘Uses Permission’ radio button. Here we can see a list of permission that the application asks for. Disable the permissions that you don’t want the application to posses. Once done, click the update button. Finish this step by clicking ‘Re-Build apk’ which will build the APK for the modified application.
Step 4: Generate Key
Only signed APKs will work in an Android device. So once we rebuild an application, we must sign it to make it ready to be deployed in to an Android device. This step will generate the key required to sign the APK. If you already have a valid key, you can skip this step. Here you have to give different parameters to generate a key store. A key store can contain multiple keys. Most of the fields are self explanatory. A brief description about the fields can be seen when you keep your mouse pointer over that field. Once you have entered all fields, click on ‘Generate Certificate’ button to finish this step.
Step 5: Signing the APK
Select the application and the key store which contains the key to sign the application. Give the key name (Alias), key store password and the key password. Click on ‘Sign APK’ button to sign the APK, and make it ready for installing into an Android device.
Step 6: Install the application to an Android device
Copy the modified APK to your device, and install it. You have saved some data band width and have protected your device from some of the security threats.