Extract, gather and analyze information from an Android Manifest file or an APK.
What’s AMAnDe#
AMAnDe stands for Android Manifest Anomaly Detector. It’s a new tool whose objective is to extract and gather information from an Android Manifest. When we deal with huge Manifests, it is often difficult to get all relevant datas (like deeplink URIs, exported provider, etc.) With AMAnDe all of this information is deeply analyzed and presented to you in a simple manner.
AMAnDe can also directly take an APK file as input. In this case, the following files (if exist) will also be analyzed :
- fullBackupContent
- dataExtractionRules
- network_security_config
All results take into consideration Android versions and their corresponding default values and configurations.
Installation#
python3 -m pip install -r requirements.txt
Usage#
Using the script requires to specify the following mandatory options :
- the version range (min/max Android SDK versions) in which the application is intended to work (this information can be found in the build.gradle or by asking the developer)
- the path to the AndroidManifest.xml or APK file or a package name in case of ADB connection
AMAnDe is developed with its own logger which can take value 0,1 and 2 to respectively display INFO, WARNING or CRITICAL information.
./main.py -h
./main.py -min 10 examples/AmazeFileManager_AndroidManifest.xml
./main.py -min 15 -target 20 -max 30 examples/AmazeFileManager_AndroidManifest.xml -v 2
./main.py -min 28 -target 30 examples/Signal_AndroidManifest.xml --json output.json
./main.py -min 20 -max 33 --adb com.example.package
./main.py -min 21 -max 31 example.apk
If you want interesting XML files (backup rules and network_security_config) to be parsed, please submit an APK file. Otherwise, give the script a simple Manifest file but the results will not be as relevant.
Checks#
Basic information#
- package name
- version code and name if specified in the Manifest
- min and max Android SDK version
- Number of components (activities, services, providers, receivers) including those exported
- Shared libraries required
- Vendor provided share native library required
- Hardware or software features required
- Compilation mode
With an APK:
- All the above
- output of apksigner (if installed) to check the signature. You can change the default binary path in
config.py
.
Permissions#
- builtins
- Searching dangerous ones (i.e. READ_CONTACTS etc.)
- customs
- Analyzing declaration and protectionLevel specified by the developer
- Reviewing custom permission(s) usage with the following checks:
- custom permission(s) used but not declared
- custom permission(s) declared but not used
- custom permission(s) assigned with android:uses-permission instead of android:permission
Backup functionality#
- ADB
- Auto-Backup
- Kotlin or Java backupAgent
With an APK:
- All the above
- fullBackupContent file content analysis (if it exists)
- dataExtractionRules file content analysis (if it exists)
With ADB:
- All the above
- Automatically performs a backup and stores it in the default location.
- You can change the default ADB path and backup location in
config.py
.
Network Security Config#
With an APK and if the file exists:
- Trust anchors configuration
- Certificate pinning
- Clear text traffic configuration
Components#
- Listing exported components
- Summarizing information about all exported components specifying Intent Filters (URIs, data, category etc.)
- Deeplink (URIs)
- Applink (URIs and checks if Digital Asset Link JSON files are publicly available)
- Analyzing permissions set on exported components
- Listing un-exported providers specifying grantUriPermissions to True
Firebase#
- Looking for Firebase URL
Task Hijacking#
- Check for possible task hijacking (StrandHogg) in activity launchMode
Contributing#
We encourage any contribution aiming at improving this tool. If you want to contribute
please check our guidelines in CONTRIBUTING
.