Android Software Reverse Engineering & Decompilation

Reverse Engineering AndroidManifest.xml: Decoding Permissions, Services, and Receivers for Exploits

By Antigravity Research Published May 29, 2026 ⏱️ 7 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction: The Blueprint of an Android Application

The AndroidManifest.xml file is the foundational blueprint of every Android application. It serves as a central configuration file, declaring the application’s core components (activities, services, broadcast receivers, and content providers), required permissions, hardware features, API levels, and much more. For reverse engineers and security researchers, analyzing this file is often the first and most critical step in understanding an application’s architecture, identifying potential attack surfaces, and uncovering vulnerabilities.

While the manifest is stored in a binary XML format within an APK, tools like apktool can effortlessly decompile it into a human-readable XML. This guide delves deep into the systematic analysis of the AndroidManifest.xml, specifically focusing on how to decode permissions, services, and receivers to identify potential exploits.

Tools of the Trade: Decompiling the Manifest

Before we can analyze the manifest, we need to extract and decompile it. Apktool is the industry standard for this task.

Step-by-Step Decompilation:

  1. Download the APK: Obtain the target APK file.
  2. Install Apktool: Ensure apktool is installed and configured on your system.
  3. Decompile the APK: Execute the following command in your terminal: 
    apktool d target.apk -o decompiled_app

    This command will create a new directory named decompiled_app containing all the decompiled resources, including the human-readable AndroidManifest.xml.

  4. Locate the Manifest: Navigate to the decompiled_app directory and open the AndroidManifest.xml file in your preferred text editor.

Decoding Permissions: Understanding Application Capabilities

Permissions are crucial for an app’s security model, controlling its access to sensitive resources and operations. The manifest declares both permissions an app requires (<uses-permission>) and permissions an app defines (<permission>).

1. Requested Permissions (<uses-permission>):

These specify what capabilities the app needs from the Android system or other applications. Pay close attention to dangerous permissions (e.g., READ_SMS, CAMERA, WRITE_EXTERNAL_STORAGE) and their necessity. Over-privileged apps often request more permissions than required for their legitimate functionality, increasing their attack surface.

<uses-permission android:name="android.permission.INTERNET"/><uses-permission android:name="android.permission.READ_SMS"/><uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>

2. Defined Permissions (<permission>):

Applications can define their own custom permissions to protect their components. Understanding these is vital, especially the android:protectionLevel attribute:

  • normal: Low-risk, granted automatically.
  • dangerous: High-risk, requires user consent.
  • signature: Only granted to apps signed with the same certificate.
  • signatureOrSystem: Granted to apps signed with the same certificate or system apps.

Custom permissions with normal or dangerous protection levels, if not properly enforced, can be exploited by malicious apps to access sensitive functionalities of the target app.

<permission    android:name="com.example.myapp.MY_CUSTOM_PERMISSION"    android:protectionLevel="dangerous" />

Analyzing Exported Components for Vulnerabilities

The primary vector for inter-application communication vulnerabilities lies in exported components. The android:exported="true" attribute in <activity>, <service>, <receiver>, and <provider> tags indicates that the component is accessible by other applications. Without proper permission enforcement, this can lead to serious security flaws.

1. Activities:

An exported activity (android:exported="true") can be launched by any other application. If this activity handles sensitive data or performs critical operations without adequate input validation or authorization checks, it can be abused. Deep linking vulnerabilities often fall into this category.

<activity    android:name="com.example.myapp.SensitiveActivity"    android:exported="true">    <intent-filter>        <action android:name="com.example.myapp.ACTION_VIEW_SECRET"/>        <category android:name="android.intent.category.DEFAULT"/>    </intent-filter></activity>

An attacker could craft an intent to launch SensitiveActivity, potentially bypassing authentication or accessing privileged functionalities.

2. Services:

Exported services (android:exported="true") can be started or bound to by other applications. If a service performs sensitive operations or exposes an unprotected API, a malicious app can interact with it, initiating actions or extracting data. The <intent-filter> tag within a service declaration specifies what intents it can respond to.

<service    android:name="com.example.myapp.DataProcessingService"    android:exported="true">    <intent-filter>        <action android:name="com.example.myapp.ACTION_PROCESS_DATA"/>    </intent-filter></service>

An attacker could send an intent to ACTION_PROCESS_DATA, potentially feeding malicious input or triggering unintended actions.

3. Broadcast Receivers:

Exported broadcast receivers (android:exported="true") listen for system-wide or custom broadcasts. If a receiver processes sensitive information from incoming broadcasts or performs privileged actions without proper sender validation, it can be vulnerable to broadcast intent hijacking or denial-of-service attacks.

<receiver    android:name="com.example.myapp.SecretDataReceiver"    android:exported="true">    <intent-filter>        <action android:name="com.example.myapp.ACTION_SECRET_BROADCAST"/>    </intent-filter></receiver>

A malicious application could send a broadcast with ACTION_SECRET_BROADCAST, spoofing legitimate data or triggering the receiver’s functionality maliciously.

Note on android:permission attribute: Even if a component is exported, the presence of android:permission="<permission_name>" restricts access to only those applications holding the specified permission. This is a crucial security control, and its absence on an exported component is a red flag.

4. Content Providers:

Content providers manage access to structured data. If a content provider is exported (implicitly or explicitly via android:exported="true"), other applications can query, insert, update, or delete data through it. Lack of proper read/write permissions (android:readPermission, android:writePermission) on an exported provider can lead to data leakage or unauthorized data manipulation.

<provider    android:name="com.example.myapp.MyContentProvider"    android:authorities="com.example.myapp.provider"    android:exported="true"    android:readPermission="com.example.myapp.READ_DATA" />

If READ_DATA is a weak permission (e.g., normal protection level or absent), an attacker could read sensitive data.

Practical Exploitation Scenario: Uncovering a Vulnerable Service

Let’s walk through an example. Suppose we decompile an APK and find the following snippet in its AndroidManifest.xml:

<service    android:name="com.vulnerableapp.SensitiveOperationService"    android:exported="true" >    <intent-filter>        <action android:name="com.vulnerableapp.ACTION_PERFORM_SENSITIVE_TASK"/>    </intent-filter></service>

Here, SensitiveOperationService is explicitly exported (android:exported="true"), and there’s no android:permission attribute specified. This immediately indicates a potential vulnerability. Any application on the device can start this service and invoke the ACTION_PERFORM_SENSITIVE_TASK action.

Crafting an Exploit Intent:

An attacker could write a simple Android app containing the following code to exploit this:

Intent intent = new Intent("com.vulnerableapp.ACTION_PERFORM_SENSITIVE_TASK");intent.setComponent(new ComponentName("com.vulnerableapp", "com.vulnerableapp.SensitiveOperationService"));startService(intent);

By sending this intent, the malicious app can trigger the SensitiveOperationService without any authorization. The impact depends on what SensitiveOperationService actually does (e.g., deletes files, sends network requests, reveals user data). Further Java code analysis would be required to understand the full extent of the vulnerability.

Conclusion

The AndroidManifest.xml is far more than just a configuration file; it’s a security manifest that reveals critical information about an application’s design and potential weaknesses. By meticulously analyzing permissions, and the export status of activities, services, receivers, and content providers, reverse engineers can uncover attack vectors that might otherwise remain hidden. Always remember that android:exported="true" without a corresponding android:permission attribute is a red flag, inviting deeper scrutiny into the component’s implementation for potential exploits.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Security #AndroidManifest #App Vulnerabilities #Exploitation #Reverse Engineering

Related Technical Guides

Binary Patching Android Native Libraries (.so files): Beyond Smali & Dalvik

May 29, 2026

Beyond the Basics: Advanced Strategies for Evading Android Emulator Detection

May 30, 2026

Under the Hood of Xposed: Exploring ART Hooking and Runtime Method Swizzling

May 30, 2026