Permissions Validation on Android

12 Sep 2017

I previously wrote about how unwanted permissions can sneak into your APK during manifest merging and how one can undeclare permissions. While undeclaring permissions is an option, validating the permissions in your final APK is a better approach since you can explicitly check for all the permissions you want and fail if there are any unknown permissions.

So how do we this? Fortunately it’s pretty easy to whip up a script that leverages the Android Asset Packaging Tool (AAPT).

AAPT lives in the build-tools directory of your ever-expanding Android SDK folder. The build tools are versioned: my SDK folder contains versions 25.0.2, 25.0.3, and 26.0.1. You can do some technical interview preparation and test yourself on the somewhat mundane exercise of finding the most recent version of AAPT programmatically. For the lazy, just grab the AAPT binary and put it in the same directory as your script.

Once you’ve got AAPT you can run it to get the permissions of your APK: aapt d permissions GGApp.apk:

It’s easy enough now to parse out the permissions and compare them against the set of permissions you are expecting in your final APK!