Application components - JEB Decompiler

Application components#

The application and its main components (activities, broadcast receivers, services, content providers) must be declared in the Manifest, even if they are not meant to be exported (i.e., the external attribute is set to false).

Warning

There is one exception: broadcast receivers can be registered dynamically, via one of the Context.registerReceiver() methods.

The name attribute of a component is the name of the corresponding class that will be instantiated and whose methods are to be called back by the Android system (for exported components).

Example: the Manifest below declares an Activity class com.xyz.appcheck.AppCheck, among other components.

Entry points#

The exported components of an APK can be equated to the entry-points of the application. Therefore, unlike types of executable programs, an Android application can have multiple entry-points.

The true entry-point of a non-native application is the application's static initializer (Application.<clinit>). If the application being analyzed declares its own Application class in the manifest (instead of reusing android.app.Application), then that class's static initializer, if any, should be looked at first, followed by the constructors.

Similarly, the static initializers and constructors of activities, receivers, services and providers are also entry-points.

Finally, all API-defined callback methods of those five components can be called back by the system. Typically, the main activity's onCreate() method is the practical entry-point to an application, akin to a regular program's main() routine.

Note

JEB's disassembly view recaps the most important features of the APK at the top of the code listing. The important components, in particular any custom Application object, will be mentioned there:

Activities#

Activities are activated by Intent.

Exported activities (by default, any unfiltered activity is exported) are first-class entry-points. The following methods should be carefully examined:

constructor (although the object state is uncertain)
well-known callbacks, e.g. attachBaseContext (used to set up a delegate Activity), onCreate, onResume, etc.

Pseudo activities#

Be mindful of activity aliases. They are not true components, however, they can and will override their target component's characteristics, such as intent filters.

Services#

Services are activated by Intent.

Services are started by Activity code or Receiver code (after receiving a particular event). Most won't be easily started by the user, except for a few of them, such as Input services. Therefore, they should not be considered first-class entry-points from the point of view of code analysis.

Broadcast Receivers#

Broadcast receivers are activated by Intent.

The intent handler for ACTION_BOOT_COMPLETED is a common entry-point, commonly used by malicious code as a way to automatically start after the phone has booted up. Many more exist though (e.g., battery plugged, message received, phone lifted, etc.)

Caveats:

API 21+ (Lollipop) - need a wake lock
API 26+ (Oreo) - need a JobIntentService

Content Providers#

Content providers are activated by ContentResolver.

Intents#

Intents are the primary method for inter-process and inter-app communication. Other IPC means exist, e.g. sockets, files, etc.

Intents are used to activate components, e.g. start an activity.

Reference

Keys	Action
`?`	Open this help
`n`	Next page
`p`	Previous page
`s`	Search