[Android] aapt 를 이용하여 AndroidManifest.xml 및 퍼미션(perm) 확인하기(malware analysis)

안드로이드 APK 분석은 안드로이드 개발도구부터, 보안툴까지 여러가지 도구로 분석하게 됩니다. 이 중 aapt를 이용하여 퍼미션 정보만 확인하는법에 대해 간단히 작성합니다.

aapt 는 android 패키징,언패키징,서명 등을 위해 주로 사용되는 도구이며 옵션을 활용하여 AndroidMenifest.xml 파일에 대해 확인이 가능합니다.

옵션 확인 시 굉장히 많은 기능을 담고 있다는 것을 알 수 있습니다.
(길이가 길어 하단에 따로 기록하였습니다.)

AAPT를 이용한 Android 퍼미션(Perm), AndroidMenifest.xml 확인

aapt 명령 중 dump 와 badging 옵션을 이용하여 쉽게 AndroidMenifest.xml 확인이 가능합니다.

# aapt dump badging target.apk
를 하였을 때 AndroidMenifest.xml 파일을 읽어오게 됩니다.

여기서 우리는 grep(linux) 이나 findstr(windows)를 통해 필요한 부분에 대해 확인을 할 수 있습니다.

# aapt dump badging target.apk | grep perm

# aapt dump badging target.apk | findstr perm

# aapt dump badging target.apk | grep perm
uses-permission: 'android.permission.INTERNET'

AAPT Options

Android Asset Packaging Tool

 aapt l[ist] [-v] [-a] file.{zip,jar,apk}
   List contents of Zip-compatible archive.

 aapt d[ump] [--values] [--include-meta-data] WHAT file.{apk} [asset [asset ...]]
   strings          Print the contents of the resource table string pool in the APK.
   badging          Print the label and icon for the app declared in APK.
   permissions      Print the permissions from the APK.
   resources        Print the resource table from the APK.
   configurations   Print the configurations in the APK.
   xmltree          Print the compiled xmls in the given assets.
   xmlstrings       Print the strings of the given compiled xml assets.

 aapt p[ackage] [-d][-f][-m][-u][-v][-x][-z][-M AndroidManifest.xml] \
        [-0 extension [-0 extension ...]] [-g tolerance] [-j jarfile] \
        [--debug-mode] [--min-sdk-version VAL] [--target-sdk-version VAL] \
        [--app-version VAL] [--app-version-name TEXT] [--custom-package VAL] \
        [--rename-manifest-package PACKAGE] \
        [--rename-instrumentation-target-package PACKAGE] \
        [--utf16] [--auto-add-overlay] \
        [--max-res-version VAL] \
        [-I base-package [-I base-package ...]] \
        [-A asset-source-dir]  [-G class-list-file] [-P public-definitions-file] \
        [-S resource-sources [-S resource-sources ...]] \
        [-F apk-file] [-J R-file-dir] \
        [--product product1,product2,...] \
        [-c CONFIGS] [--preferred-configurations CONFIGS] \
        [--split CONFIGS [--split CONFIGS]] \
        [--feature-of package [--feature-after package]] \
        [raw-files-dir [raw-files-dir] ...] \
        [--output-text-symbols DIR]

   Package the android resources.  It will read assets and resources that are
   supplied with the -M -A -S or raw-files-dir arguments.  The -J -P -F and -R
   options control which files are output.

 aapt r[emove] [-v] file.{zip,jar,apk} file1 [file2 ...]
   Delete specified files from Zip-compatible archive.

 aapt a[dd] [-v] file.{zip,jar,apk} file1 [file2 ...]
   Add specified files to Zip-compatible archive.

 aapt c[runch] [-v] -S resource-sources ... -C output-folder ...
   Do PNG preprocessing on one or several resource folders
   and store the results in the output folder.

 aapt s[ingleCrunch] [-v] -i input-file -o outputfile
   Do PNG preprocessing on a single file.

 aapt v[ersion]
   Print program version.

   -a  print Android-specific data (resources, manifest) when listing
   -c  specify which configurations to include.  The default is all
       configurations.  The value of the parameter should be a comma
       separated list of configuration values.  Locales should be specified
       as either a language or language-region pair.  Some examples:
   -d  one or more device assets to include, separated by commas
   -f  force overwrite of existing files
   -g  specify a pixel tolerance to force images to grayscale, default 0
   -j  specify a jar or zip file containing classes to include
   -k  junk path of file(s) added
   -m  make package directories under location specified by -J
   -u  update existing packages (add new, replace older, remove deleted files)
   -v  verbose output
   -x  create extending (non-application) resource IDs
   -z  require localization of resource attributes marked with
   -A  additional directory in which to find raw asset files
   -G  A file to output proguard options into.
   -F  specify the apk file to output
   -I  add an existing package to base include set
   -J  specify where to output R.java resource constant definitions
   -M  specify full path to AndroidManifest.xml to include in zip
   -P  specify where to output public resource definitions
   -S  directory in which to find resources.  Multiple directories will be scanned
       and the first match found (left to right) will take precedence.
   -0  specifies an additional extension for which such files will not
       be stored compressed in the .apk.  An empty string means to not
       compress any files at all.
       inserts android:debuggable="true" in to the application node of the
       manifest, making the application debuggable even on production devices.
       when used with "dump badging" also includes meta-data tags.
       generate resources for pseudo-locales (en-XA and ar-XB).
       inserts android:minSdkVersion in to manifest.  If the version is 7 or
       higher, the default encoding for resources will be in UTF-8.
       inserts android:targetSdkVersion in to manifest.
       ignores versioned resource directories above the given value.
       when used with "dump resources" also includes resource values.
       inserts android:versionCode in to manifest.
       inserts android:versionName in to manifest.
       If --version-code and/or --version-name are specified, these
       values will replace any value already in the manifest. By
       default, nothing is changed if the manifest already defines
       these attributes.
       generates R.java into a different package.
       generate R.java for libraries. Separate libraries with ':'.
       generate dependency files in the same directories for R.java and resource package
       Automatically add resources that are only in overlays.
       Specifies a preference for a particular density. Resources that do not
       match this density and have variants that are a closer match are removed.
       Builds a separate split APK for the configurations listed. This can
       be loaded alongside the base APK at runtime.
       Builds a split APK that is a feature of the apk specified here. Resources
       in the base APK can be referenced from the the feature APK.
       An app can have multiple Feature Split APKs which must be totally ordered.
       If --feature-of is specified, this flag specifies which Feature Split APK
       comes before this one. The first Feature Split APK should not define
       anything here.
       Rewrite the manifest so that its package name is the package name
       given here.  Relative class names (for example .Foo) will be
       changed to absolute names with the old package so that the code
       does not need to change.
       Rewrite the manifest so that all of its instrumentation
       components target the given package.  Useful when used in
       conjunction with --rename-manifest-package to fix tests against
       a package that has been renamed.
       Specifies which variant to choose for strings that have
       product variants
       changes default encoding for resources to UTF-16.  Only useful when API
       level is set to 7 or higher where the default encoding is UTF-8.
       Make the resources ID non constant. This is required to make an R java class
       that does not contain the final value but is used to make reusable compiled
       libraries that need to access resources.
       Make a shared library resource package that can be loaded by an application
       at runtime to access the libraries resources. Implies --non-constant-id.
       Forces aapt to return an error if it fails to insert values into the manifest
       with --debug-mode, --min-sdk-version, --target-sdk-version --version-code
       and --version-name.
       Insertion typically fails if the manifest already defines the attribute.
       Forces aapt to return an error if it fails to find an entry for a configuration.
       Generates a text file containing the resource symbols of the R class in the
       specified folder.
       Assets to be ignored. Default pattern is: