Android Software Reverse Engineering & Decompilation

RE Lab: Unleashing Hidden Functionality by Manipulating Android Manifest Permissions

By Antigravity Research Published May 29, 2026 ⏱️ 7 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to Android Manifest and Permissions

The Android Manifest file, AndroidManifest.xml, is the heart of every Android application. It acts as a blueprint, providing essential information about the application’s structure, components (activities, services, broadcast receivers, content providers), required permissions, hardware features, and more, to the Android operating system. Without a properly structured manifest, an Android application cannot run.

Central to Android’s security model are permissions. Applications must explicitly declare the permissions they need to access sensitive user data or system resources, such as accessing the internet, reading contacts, or using the camera. These permissions are typically requested during installation or runtime, and users grant or deny them. While permissions are designed to protect user privacy and system integrity, they can also define the operational boundaries of an application.

The Art of Manifest Manipulation for Security Bypass

Why Manipulate the Manifest?

Manifest manipulation is a powerful technique in Android reverse engineering and security research. It allows an analyst to alter the declared capabilities and restrictions of an application without access to its source code. This can be done for several reasons:

  • Bypassing Restrictions: An application might have components (e.g., an activity or service) that are intentionally unexported or protected by specific permissions, preventing external applications (or even internal parts of the same app under certain conditions) from invoking them. By modifying the manifest, these restrictions can be lifted.
  • Enabling Hidden Features: Developers sometimes include dormant or experimental features that are not publicly accessible. Adjusting the manifest can sometimes expose these hidden functionalities by changing component visibility or altering flags.
  • Security Research: Understanding how an application behaves with altered permissions can reveal vulnerabilities, unintended access paths, or design flaws.
  • Customization/Modding: For personal use (within legal and ethical boundaries), users might want to modify an app’s behavior or enable certain debug capabilities.

Ethical Considerations

It’s crucial to approach manifest manipulation with a strong ethical compass. Modifying applications without proper authorization, especially proprietary software, can infringe on intellectual property rights and potentially lead to legal consequences. This guide is intended purely for educational purposes, security research, and personal understanding of application behavior, always within legal and ethical frameworks, and ideally on applications you own or have explicit permission to modify.

Tools of the Trade

To perform manifest manipulation, you’ll need a few essential tools:

  • apktool: An indispensable tool for decompiling and recompiling Android APKs. It handles the conversion between APKs and Smali code/resources, including the AndroidManifest.xml.
  • keytool (part of JDK): Used to generate a self-signed certificate.
  • jarsigner (part of JDK) or apksigner (part of Android Build Tools): Used to digitally sign the recompiled APK. Android requires all applications to be signed before they can be installed.
  • adb (Android Debug Bridge): For installing, uninstalling, and debugging applications on an Android device or emulator.
  • Text Editor: Any standard text editor (e.g., VS Code, Notepad++, Sublime Text) to modify the XML file.

Step-by-Step Guide: Bypassing Restrictions via Manifest Modification

Scenario: Enabling a Restricted Activity

Consider a hypothetical scenario where an application has a developer-only debugging activity. This activity is present in the application’s code but is marked as android:exported="false" or protected by a custom permission, making it inaccessible to normal users. Our goal is to enable this activity.

Step 1: Obtain and Decompile the APK

First, get the APK file of the target application. You can extract it from a device using adb pull or download it from various sources. Once you have the APK, use apktool to decompile it:

apktool d myapp.apk -o myapp_decompiled

This command will create a directory named myapp_decompiled containing the decompiled resources, Smali code, and the crucial AndroidManifest.xml file.

Step 2: Analyze the AndroidManifest.xml

Navigate to the myapp_decompiled directory and open AndroidManifest.xml in your text editor. You’ll need to locate the target activity. Look for <activity> tags within the <application> tag. Pay close attention to attributes like android:exported and android:permission.

An example of a restricted activity might look like this:

<activity android:name="com.example.myapp.DebugActivity" android:exported="false" android:permission="com.example.myapp.permission.DEBUG_ACCESS" />

Here, android:exported="false" explicitly prevents external components from launching this activity, and android:permission adds an additional layer of protection.

Step 3: Modify the Manifest

To enable the DebugActivity, we need to change its attributes. Modify the relevant lines as follows:

<activity android:name="com.example.myapp.DebugActivity" android:exported="true" />

We changed android:exported to "true" and removed the android:permission attribute. Removing the permission attribute implies that no specific permission is required to launch this activity. Alternatively, you could add the permission to your own application’s manifest if you were creating a launcher app for it, but for direct access, removing it is simpler.

Save the modified AndroidManifest.xml file.

Step 4: Recompile the APK

Now, use apktool to recompile the modified application back into an APK:

apktool b myapp_decompiled -o myapp_modified.apk

This command will generate myapp_modified.apk in the current directory.

Step 5: Sign the Recompiled APK

Android requires all APKs to be digitally signed before installation. Since we modified and recompiled the app, its original signature is lost. We need to sign it with a new key. First, generate a keystore:

keytool -genkey -v -keystore debug.keystore -alias debug_alias -keyalg RSA -keysize 2048 -validity 10000

Follow the prompts to set passwords and provide certificate information. Then, sign the APK using jarsigner:

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore debug.keystore myapp_modified.apk debug_alias

You will be prompted for the keystore password. After signing, optionally verify the signature:

jarsigner -verify myapp_modified.apk

For better practice and compatibility with modern Android versions, you might want to use zipalign after signing to optimize the APK, though it’s not strictly necessary for basic testing:

zipalign -v 4 myapp_modified.apk myapp_modified_aligned.apk

Use the `_aligned.apk` if you perform this step.

Step 6: Install and Test

Before installing the modified APK, you must uninstall the original application if it’s already on your device, as the signatures will conflict:

adb uninstall com.example.myapp

Now, install your modified and signed APK:

adb install myapp_modified.apk

If the installation is successful, you can now attempt to launch the previously restricted activity. You can do this using adb shell am start:

adb shell am start -n com.example.myapp/.DebugActivity

If your manifest modifications were successful, the DebugActivity should now launch. You can observe its behavior and any logs using adb logcat.

Advanced Manifest Modifications

Adding New Permissions

Beyond modifying existing components, you can also declare new permissions that the original application did not request. This might be useful if you’ve added new functionality to the Smali code that requires specific permissions (e.g., internet access or storage write access). Simply add the <uses-permission> tag within the <manifest> tag:

<uses-permission android:name="android.permission.INTERNET" /> <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />

Modifying Content Providers/Services

The principles applied to activities can also be extended to other application components like services and content providers. Changing android:exported for a service or provider can allow other applications to interact with them, potentially exposing data or functionality that was meant to be internal. Always exercise caution and understand the implications of such changes.

Conclusion

Manipulating the Android Manifest file is a fundamental skill in reverse engineering and mobile security. It provides a direct means to alter the declared capabilities and security posture of an Android application, enabling researchers to uncover hidden features, bypass restrictions, and deeply analyze app behavior. While incredibly powerful, this technique demands a thorough understanding of Android’s security model and a commitment to ethical use. By mastering tools like apktool and understanding the nuances of the AndroidManifest.xml, you gain profound insight into how Android applications function and how their security can be both enforced and, in controlled environments, circumvented for analysis.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Reverse Engineering #Android Security #Apktool #Manifest Manipulation #Mobile Security

Related Technical Guides

Demystifying Obfuscation: Deobfuscating Android App Logic via Smali Manipulation

May 30, 2026

From ARM64 Assembly to C++: Reconstructing Android Native Classes & Objects

May 30, 2026

Setting Up Your Xposed Development Environment: From Root to Runtime Hooking Mastery

May 29, 2026