The Android Application Model
Android isolates apps from each other using a Linux-based sandbox. Each application gets its own UID, its own process, and its own private directory. By default, apps can't read each other's files or memory. Communication between apps happens through well-defined IPC mechanisms rather than direct memory access. This is the right model — the problem is how developers implement it incorrectly.
An APK file is a ZIP archive containing the app's compiled Dalvik bytecode (classes.dex), resources, the manifest (AndroidManifest.xml), and any native libraries. The manifest is the single most important file for security analysis — it declares every component the app exposes to other apps and the system, and the permissions it requires.
apktool d app.apk -o decompiled/ cat decompiled/AndroidManifest.xml grep -r "exported=\"true\"" decompiled/AndroidManifest.xml grep -r "android:debuggable" decompiled/AndroidManifest.xml
The Four Component Types
Android apps are made of four component types. Activities are UI screens. Services are background processes. Broadcast Receivers listen for system or app events. Content Providers expose data to other apps (think file providers, databases).
The security issue is the exported attribute. An exported component can be started or accessed by any other app on the device. An exported Activity means another app can start it directly, potentially bypassing authentication flows. An exported Content Provider means other apps can query its data. An exported Service means other apps can trigger its logic. If a component is exported without the developer intending it, it's an attack surface.
Intent Redirection
If an app receives an Intent and uses data from it to start another component without validation, an attacker can craft a malicious Intent that causes the app to start components it shouldn't — including internal components. This is Intent redirection and it's a common finding in Android apps that handle deep links or process external Intents.
Analysing IPC with ADB
ADB (Android Debug Bridge) is your primary tool for interacting with Android devices and emulators during security testing. You can send Intents to exported components, query Content Providers, inspect the file system, capture traffic, and pull APKs. Starting with a manual test of all exported components reveals what's accessible and whether the access controls are correct.
adb devices adb shell pm list packages adb pull /data/app/com.target.app/base.apk adb shell am start -n com.target.app/.AdminActivity adb shell content query --uri content://com.target.app.provider/users