A professional tool to automate attack surface detection in Android applications by parsing Manifest files.
Project description
📲 AndroidManifestExplorer
A high-performance static analysis utility designed to automate the discovery of attack surfaces in Android applications. By parsing decompiled AndroidManifest.xml files, this tool identifies exposed components, security misconfigurations, deep-link vectors, and dangerous permission usage, providing ready-to-use adb payloads for immediate dynamic verification.
🎯 Security Objectives
- Attack Surface Mapping: Identify all exported Activities, Services, Broadcast Receivers, and Content Providers.
- Implicit Export Detection: Flag components that are exported by default due to the presence of intent-filters without explicit
android:exported="false"attributes. - Deep Link Analysis: Extract URI schemes, hosts, and paths to facilitate intent-fuzzing and unauthorized navigation testing.
- MIME-Type Intent Detection: Identify activities handling file-sharing and content intents (
ACTION_SEND,ACTION_VIEWwith MIME types) and generate targeted ADB commands. - Dangerous Permissions Audit: Match declared
<uses-permission>entries against 40+ known dangerous Android permissions with risk descriptions. - Provider Vulnerability Analysis: Generate SQLi test payloads, LFI traversal commands, and detect
grantUriPermissionsandpath-permissionmisconfigurations. - Config Analysis: Detect high-risk application flags such as
debuggable="true",allowBackup="true",usesCleartextTraffic="true",sharedUserId,networkSecurityConfig, andtestOnly="true". - JSON Output: Export all findings as structured JSON for pipeline integration and further processing.
🚀 Installation
Prerequisites
- Python 3.6+
- apktool (for decompiling binary XML)
Setup
- Clone the repository and install the dependencies:
$: git clone https://github.com/mateofumis/AndroidManifestExplorer.git
$: cd AndroidManifestExplorer
$: pip install .
- Alternatively, install the requirements directly:
$: pip install -r requirements.txt
- Using PyPI (Available for
piporpipx)
# with pip/pip3
$: pip install AndroidManifestExplorer
# or pipx
$: pipx install AndroidManifestExplorer
🛠 Usage Workflow
1. Decompile Target APK
The tool operates on the plain-text XML output of apktool.
$: apktool d target_app.apk -o output_dir
2. Execute Scan
Run the explorer against the generated manifest:
$: AndroidManifestExplorer -f output_dir/AndroidManifest.xml
Optionally save all findings to a JSON file:
$: AndroidManifestExplorer -f output_dir/AndroidManifest.xml -o output.json
If running the script directly without installation:
$: python3 AndroidManifestExplorer.py -f output_dir/AndroidManifest.xml
$: python3 AndroidManifestExplorer.py -f output_dir/AndroidManifest.xml -o output.json
📊 Technical Output Overview
The tool produces color-coded Rich terminal output organized into the following sections:
App Flags
A severity-sorted table reporting dangerous application-level attributes:
| Severity | Flag |
|---|---|
| CRITICAL | debuggable="true" — enables ADB debugging, data extraction, and RCE |
| CRITICAL | allowBackup="true" — allows full data extraction via adb backup |
| WARN | usesCleartextTraffic="true" — permits unencrypted HTTP traffic (MITM risk) |
| WARN | sharedUserId — app shares a Linux UID with other packages (privilege escalation risk) |
| INFO | networkSecurityConfig — custom network security policy defined, review recommended |
| INFO | testOnly="true" — test or debug APK |
Dangerous Permissions
Matches all <uses-permission> declarations against 40+ known Android dangerous permissions (covering location, camera, microphone, contacts, SMS, storage, phone state, biometrics, Bluetooth, and more) and displays each match with a risk description.
Attack Surface
One panel per exported or implicitly-exported component, color-coded by type:
- 🟢 Activities (
am start -n) — shows protecting permission, intent-filter actions/categories/MIME types, deep links with ready-to-run ADB commands, and MIME-type-only intents (e.g.ACTION_SEND image/*). - 🔵 Services (
am startservice -n) — shows protecting permission and trigger command. - 🟣 Receivers (
am broadcast -n) — shows protecting permission and trigger command. - 🔴 Providers (
content query --uri) — shows protecting permission and generates three payloads per authority:- Plain query:
adb shell content query --uri content://<authority>/ - SQLi test: same command with
--where "1=1" - LFI test:
adb shell content read --uri content://<authority>/../../../../../../data/data/<package>/databases/ - Warns if
grantUriPermissions="true"is set or<path-permission>elements are present.
- Plain query:
JSON Output Schema
When -o is provided, findings are saved as structured JSON:
{
"package": "com.manifestexploitable.app",
"app_flags": {
"sharedUserId": "com.manifestexploitable.shared",
"debuggable": "true",
"allowBackup": "true",
"testOnly": "true",
"usesCleartextTraffic": "true",
"networkSecurityConfig": "@xml/network_security_config"
},
"dangerous_permissions": [
"android.permission.CAMERA",
"android.permission.READ_SMS",
"android.permission.RECORD_AUDIO",
"android.permission.ACCESS_FINE_LOCATION",
"android.permission.READ_CONTACTS",
"android.permission.WRITE_EXTERNAL_STORAGE"
],
"attack_surface": [
{
"type": "activity",
"name": "com.manifestexploitable.app.MainActivity",
"permission": null,
"intent_filters": [
{
"actions": [
"android.intent.action.MAIN"
],
"categories": [
"android.intent.category.LAUNCHER"
]
}
],
"adb_command": "adb shell am start -n com.manifestexploitable.app/com.manifestexploitable.app.MainActivity"
},
{
"type": "activity",
"name": "com.manifestexploitable.app.TransferActivity",
"permission": null,
"intent_filters": [],
"adb_command": "adb shell am start -n com.manifestexploitable.app/com.manifestexploitable.app.TransferActivity"
},
{
"type": "activity",
"name": "com.manifestexploitable.app.DeepLinkActivity",
"permission": null,
"intent_filters": [
{
"actions": [
"android.intent.action.VIEW"
],
"categories": [
"android.intent.category.DEFAULT",
"android.intent.category.BROWSABLE"
]
},
{
"actions": [
"android.intent.action.VIEW"
],
"categories": [
"android.intent.category.DEFAULT",
"android.intent.category.BROWSABLE"
]
}
],
"adb_command": "adb shell am start -n com.manifestexploitable.app/com.manifestexploitable.app.DeepLinkActivity",
"deep_links": [
{
"uri": "manifestexploitable://open/transfer",
"action": "android.intent.action.VIEW",
"attack_command": "adb shell am start -W -a android.intent.action.VIEW -d 'manifestexploitable://open/transfer' com.manifestexploitable.app"
},
{
"uri": "https://manifestexploitable.com/account/.*",
"action": "android.intent.action.VIEW",
"attack_command": "adb shell am start -W -a android.intent.action.VIEW -d 'https://manifestexploitable.com/account/' com.manifestexploitable.app"
}
]
},
{
"type": "activity",
"name": "com.manifestexploitable.app.AdminPanelActivity",
"permission": "com.manifestexploitable.app.ACCESS_ACCOUNTS",
"intent_filters": [],
"adb_command": "adb shell am start -n com.manifestexploitable.app/com.manifestexploitable.app.AdminPanelActivity"
},
{
"type": "receiver",
"name": "com.manifestexploitable.app.SmsInterceptReceiver",
"permission": null,
"intent_filters": [
{
"actions": [
"android.provider.Telephony.SMS_RECEIVED"
]
}
],
"adb_command": "adb shell am broadcast -n com.manifestexploitable.app/com.manifestexploitable.app.SmsInterceptReceiver"
},
{
"type": "receiver",
"name": "com.manifestexploitable.app.AdminCommandReceiver",
"permission": null,
"intent_filters": [],
"adb_command": "adb shell am broadcast -n com.manifestexploitable.app/com.manifestexploitable.app.AdminCommandReceiver"
},
{
"type": "service",
"name": "com.manifestexploitable.app.DataSyncService",
"permission": null,
"intent_filters": [
{
"actions": [
"com.manifestexploitable.app.action.SYNC"
]
}
],
"adb_command": "adb shell am startservice -n com.manifestexploitable.app/com.manifestexploitable.app.DataSyncService"
},
{
"type": "service",
"name": "com.manifestexploitable.app.RemoteControlService",
"permission": "com.manifestexploitable.app.VIEW_TRANSACTIONS",
"intent_filters": [],
"adb_command": "adb shell am startservice -n com.manifestexploitable.app/com.manifestexploitable.app.RemoteControlService"
},
{
"type": "provider",
"name": "com.manifestexploitable.app.AccountsProvider",
"permission": null,
"grantUriPermissions": "true",
"adb_command": "adb shell content query --uri content://com.manifestexploitable.app.accounts/",
"sqli_test": "adb shell content query --uri content://com.manifestexploitable.app.accounts/ --where \"1=1\"",
"lfi_test": "adb shell content read --uri content://com.manifestexploitable.app.accounts/../../../../../../data/data/com.manifestexploitable.app/databases/",
"path_permissions": [
{
"path": "/transactions",
"readPermission": "com.manifestexploitable.app.VIEW_TRANSACTIONS",
"writePermission": null
},
{
"path": "/admin",
"readPermission": "com.manifestexploitable.app.ACCESS_ACCOUNTS",
"writePermission": "com.manifestexploitable.app.ACCESS_ACCOUNTS"
}
]
},
{
"type": "provider",
"name": "com.manifestexploitable.app.UserDataProvider",
"permission": null,
"grantUriPermissions": null,
"adb_command": "adb shell content query --uri content://com.manifestexploitable.app.userdata/",
"sqli_test": "adb shell content query --uri content://com.manifestexploitable.app.userdata/ --where \"1=1\"",
"lfi_test": "adb shell content read --uri content://com.manifestexploitable.app.userdata/../../../../../../data/data/com.manifestexploitable.app/databases/"
}
]
}
Preview
⚖️ Disclaimer
This tool is intended for professional security research and authorized penetration testing only. Unauthorized use against systems without prior written consent is strictly prohibited and may violate local and international laws. The developer assumes no liability for misuse or damage caused by this utility.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file androidmanifestexplorer-2.0.0.tar.gz.
File metadata
- Download URL: androidmanifestexplorer-2.0.0.tar.gz
- Upload date:
- Size: 17.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
aaa76fcae20dea34fc544364b216a7a5dba88d4fa8b683900122d5b65e885138
|
|
| MD5 |
f620a030b4ab1490c41efd436ef879ce
|
|
| BLAKE2b-256 |
6d47a85ee285b34ab5dba6c23abf1ddd8e377d7753885a48f5da269717feff3a
|
File details
Details for the file androidmanifestexplorer-2.0.0-py3-none-any.whl.
File metadata
- Download URL: androidmanifestexplorer-2.0.0-py3-none-any.whl
- Upload date:
- Size: 15.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
8c349ee7c44a3803b71ab87ae9a861a0bcb91fd51e50164305f6925042229aea
|
|
| MD5 |
a1473b61231ddb2ee9a972e4a941674e
|
|
| BLAKE2b-256 |
b85e08e44385bd38b3c995df88b32e7aceb096d59364eac68257c082aeb6b150
|