# Android Permissions

### 01. Introduction

Goal of this exercise is to get an overview of different tools how you can check and read out android permissions of a given apk file:

{% file src="<https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FMdBdfLnwUUv2oMLk1Wl2%2Fsample-video-player.apk?alt=media&token=95fcf8e3-12bb-47e2-813c-9eb7111b1187>" %}

### 02. Classy Shark

> ClassyShark is a standalone binary inspection tool for Android developers. It can reliably browse any Android executable and show important info such as class interfaces and members, dex counts and dependencies. ClassyShark supports multiple formats including libraries and executables.

Download:

{% embed url="<https://github.com/google/android-classyshark/releases>" %}

You can simply start classyshark with the followin command:

```
java -jar classyshark.jar
```

![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FKrLccox8hHdTA5x5H33G%2Flassyshark01.png?alt=media\&token=51dff14c-d591-4c2c-9587-7f42c7baf4ed)

Load package , select AndroidManifest.xml and check permissions:

![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2Fx9r0v2Q3bmaQLKXuDrta%2Fclassyshark02.png?alt=media\&token=4f9c8a19-05ba-4f2a-b27f-900c5a9c477d)

### 03. Jadx-gui

Howto build Jadx from scratch is decribed in the [first Lab Setup](https://cas-cyber.gitbook.io/cas-cybersecurity/android-malware/lab-setup-1).

```
./jadx-gui  
```

![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FnbWEYjbC386i4zGPaA6W%2Fjadx01.png?alt=media\&token=e2675842-f292-400c-87e1-55e188adc114)

### 04. AAPT

We can also use Android Asset packaging tool to dump the permissions:

```
aapt dump permissions sample-video-player.apk 
```

![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FIQrVH5pKERLb4MyMXEO8%2Faapt01.png?alt=media\&token=f650d963-762c-48fd-9206-465d72384f01)

### 05. Mobile Security Framework

We can also use mobsf to analyze android packages.

{% embed url="<https://github.com/MobSF/Mobile-Security-Framework-MobSF>" %}

We can try the online version:

{% embed url="<https://mobsf.live/>" %}

![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FprxEbBrpmQ3QMIOmQsFB%2Fobsf01.png?alt=media\&token=9941ca11-59a9-40d1-aac5-12cea8712923)

### 06. Ressources

{% embed url="<http://androidpermissions.com/>" %}