Android Software Reverse Engineering & Decompilation

From APK to Exploit: Modifying Android Manifest for Privilege Escalation

By Antigravity Research Published May 29, 2026 ⏱️ 7 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction: The Android Manifest as an Attack Vector

The Android Manifest file (AndroidManifest.xml) is the control center of every Android application. It declares the app’s components, required permissions, hardware features, and other crucial metadata that the Android system needs to run the application correctly. While essential for defining an app’s functionality, a misconfigured or intentionally manipulated manifest can become a powerful attack vector, leading to security vulnerabilities such as privilege escalation or unauthorized component access. This guide delves into the technical process of decompiling an Android Application Package (APK), altering its manifest to expose sensitive components, and subsequently re-packaging, signing, and installing the modified application to demonstrate potential privilege escalation.

Understanding this process is vital for both penetration testers seeking to identify weaknesses and developers aiming to harden their applications against such attacks. By modifying the manifest, an attacker can bypass intended security restrictions, enabling access to internal activities, services, broadcast receivers, or even content providers that were designed to remain private.

Understanding the Android Manifest File (AndroidManifest.xml)

The AndroidManifest.xml file resides at the root of an Android application project. It’s a structured XML file that provides fundamental information about an app to the Android system. Key elements include:

  • <manifest>: The root element, defining the package name, Android API version, and other global attributes.
  • <application>: Contains declarations for all the application’s components.
  • <activity>, <service>, <receiver>, <provider>: Declare the app’s core components. Attributes like android:exported are crucial for security. Setting android:exported="true" makes a component accessible to other applications.
  • <uses-permission>: Declares permissions the app requires to access system resources or other app components.
  • <permission>: Defines custom permissions for protecting the app’s own components or data.
  • <intent-filter>: Specifies the types of intents an activity, service, or broadcast receiver can respond to.

Our focus for privilege escalation will primarily be on manipulating the android:exported attribute for components and potentially custom permissions, turning internally restricted components into publicly accessible ones.

Prerequisites and Tools

Before proceeding, ensure you have the following tools installed and configured on your system:

  • Java Development Kit (JDK): Required for keytool and jarsigner.
  • APKTool: A third-party tool for decompiling and recompiling Android APKs.
  • ADB (Android Debug Bridge): Part of the Android SDK Platform-Tools, used for interacting with Android devices.
  • A text editor: For modifying the AndroidManifest.xml file (e.g., VS Code, Sublime Text, Notepad++).
  • A target APK: For demonstration, we’ll use a hypothetical `target_app.apk`.

Step-by-Step: Manifest Manipulation for Privilege Escalation

Step 1: Decompiling the Target APK

The first step is to decompile the target APK file. APKTool will extract its resources and generate a human-readable AndroidManifest.xml along with Smali code for the application’s logic.

apktool d target_app.apk -o target_app_decompiled

This command creates a new directory named target_app_decompiled containing the decompiled files. Navigate into this directory to find AndroidManifest.xml.

Step 2: Identifying Potential Escalation Points

Open the AndroidManifest.xml file located in the decompiled directory. We are looking for components (activities, services, broadcast receivers) that are either implicitly or explicitly marked as non-exported (android:exported="false" or simply missing the attribute, which defaults to false for apps targeting API level 17 or higher when no intent filters are present). Components that perform sensitive operations but are not exported are prime targets.

Consider an activity that performs an administrative function or accesses sensitive user data, initially defined as:

<activity android:name=".SensitiveActivity" android:exported="false" />

This component cannot be launched by external applications. Our goal is to change this.

Step 3: Modifying AndroidManifest.xml for Exported Component

Locate the target component in AndroidManifest.xml. Change the android:exported attribute from "false" to "true". If the attribute is missing and you wish to expose it, explicitly add android:exported="true".

For our example, we modify .SensitiveActivity:

<activity android:name=".SensitiveActivity" android:exported="true" />

Save the modified AndroidManifest.xml file.

Step 4: Recompiling the Modified APK

Now, use APKTool to recompile the modified application back into an APK file. Ensure you are in the directory *above* target_app_decompiled.

apktool b target_app_decompiled -o modified_app.apk

This command creates modified_app.apk. Note that this APK is not yet signed and cannot be installed on an Android device.

Step 5: Signing the Recompiled APK

Android requires all applications to be digitally signed before they can be installed. Since we modified the original APK, its signature is now invalid. We need to sign our modified_app.apk with a new debug key.

First, generate a new keystore and key pair (if you don’t have one):

keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000

Follow the prompts to create your keystore. Then, use jarsigner to sign the APK:

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore modified_app.apk alias_name

You will be prompted for your keystore password.

Step 6: Zipaligning the APK

zipalign is an archive optimization tool provided with the Android SDK. It ensures that all uncompressed data starts at a particular alignment relative to the start of the file, allowing direct access of resource data from the APK by `mmap`. This significantly reduces RAM consumption and speeds up the application. An APK must be zipaligned to be accepted by the Android Package Manager for installation.

zipalign -v 4 modified_app.apk final_signed_aligned_app.apk

The -v flag provides verbose output, and 4 specifies the byte alignment. This creates the final, installable APK.

Step 7: Installing and Exploiting the Modified App

Uninstall the original application (if installed) to avoid signature conflicts. Then, install your newly signed and zipaligned APK:

adb install final_signed_aligned_app.apk

Once installed, you can now attempt to launch the previously protected .SensitiveActivity using adb shell am start:

adb shell am start -n com.example.targetapp/.SensitiveActivity

If successful, the `SensitiveActivity` will launch, demonstrating how modifying the manifest to change android:exported="true" allows unauthorized external access. This effectively constitutes a privilege escalation, as an external entity (like another app or an ADB user) can now invoke functionality intended only for internal use within the application.

Security Implications and Mitigation

This tutorial highlights a critical vulnerability often overlooked during development. Improper configuration of the android:exported attribute can lead to severe security risks, including:

  • Unauthorized Data Access: Sensitive activities or services that process user data can be invoked, potentially leaking information.
  • Component Hijacking: An attacker can launch and interact with an app’s internal components, disrupting its normal operation or injecting malicious data.
  • Permission Bypass: If an exported component performs actions requiring specific permissions, an attacker might indirectly gain those capabilities without being granted the permissions directly.

Developers must rigorously review their AndroidManifest.xml. Best practices include:

  • Always explicitly set android:exported="false" for components not intended for external interaction.
  • Use custom permissions (<permission> and <uses-permission>) to protect sensitive exported components, requiring other apps to declare and be granted those permissions.
  • Implement robust input validation and authorization checks within all components, especially those that are exported.
  • Regularly use static analysis tools to audit manifest configurations.

Conclusion

The Android Manifest, while seemingly a simple configuration file, holds immense power over an application’s security posture. By understanding how to decompile, modify, recompile, and sign an APK, security researchers and developers can uncover and mitigate critical privilege escalation vulnerabilities. This exercise underscores the importance of meticulously configuring the android:exported attribute and employing layered security mechanisms within Android applications to prevent unauthorized access to sensitive functionalities.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Security #AndroidManifest.xml #APK Reverse Engineering #Mobile Hacking #Privilege Escalation

Related Technical Guides

Bypass Android Root Detection: A Practical Guide to Smali Patching & APK Modification

May 29, 2026

Advanced APK Reversing: Understanding and Bypassing Signature Protections in Hardened Apps

May 29, 2026

Beyond ProGuard: Analyzing Custom Smali Obfuscation in Android Malware Samples

May 29, 2026