Intrepidus Group

Lock down your Android APK permissions

Posted: May 27, 2010 – 10:31 pm | Author: | Filed under: Mobile Security, Uncategorized

We’re not planning on becoming a “how to” blog anytime soon, but thought this could be interesting to a number of you with Android phones and a love of the 3rd party apps (Hi Pandora… you look mighty fine today). Android users are probably used to seeing a list of permissions an application desires just before you hit that big install button in the Android Market. Unfortunately there’s not much of a way to figure out why an application wants particular permissions, nor can you choose to grant an application some permissions and not other ones. (Like you can do on a RIM device.)  It’s just “here’s what the app wants”: install or don’t install. If you want a little more control on the permissions an application is granted, an awesome little tool called “apktool” can help you out.

Let us take the Bubble Burst Lite game as an example of a free app that I may want to try out, but don’t want to give too much access to my phone. In particular, I don’t want it reading my contacts or sending SMS messages to my friends about how badly I’ll crush them with my bubble popping skills. To lock this down, you will want to grab the com.androgames.BubbleBurst.apk file and install apktool (I’ll assume you already have adb installed by now).  Next, run the following command to extract the APK and “decode” the application.

apktool decode com.androgames.BubbleBurst.apk BubbleBurstLite

You will notice in the new directory that was just created there is an AndroidManifest.xml file which you can read in any text editor (while there are other tools that can extract this info from an apk, I’m a big fan of this tool and the format it uses). Next, you will see the “uses-permission” tags typically at the end of the file. In our case, the app is requesting four permissions: INTERNET, ACCESS_NETWORK_STATE, RECEIVE_SMS, and READ_CONTACTS.

XML Screenshot

Next, remove the tags for the permissions you don’t want the application to have. In my case, I’m going to remove the permissions for RECEIVE_SMS and READ_CONTACTS. You can also pull out things like the “SMSReceiver” tag a little higher up in the file. Save your changes, then head back to the command line to have apktool rebuild the application.
apktool build BubbleBurstLite

This step will create an “out.apk” file in the dist subfolder. But before you can install it on your phone, you must first sign the apk. In this example, I’ll just use my own self-signed key that I’ve previously created.

jarsigner -verbose -keystore my-release-key.keystore out.apk igkey

(Raj, a fellow Intrepidus Group colleague, made a good point to me at this step. If you sign all your apps with the same key, and developers knew that and coded for it, they could have permission to communicate with each other and share data… and possibly, one day rise up against you. Help do your part to keep Cyberdyne Systems at bay and sign each app with a unique key.)

Now back to our changes, plug in your device and finish things off with the “adp install out.apk” command. You will now notice when you view the application’s permission in the Settings->Applications->Manage Applications menu, the unwanted permissions are gone. Play away, secure in the knowledge that any bubble blasting smack is going to come from you and not from the application covertly sending SMS messages in the background.

Both comments and trackbacks are currently closed.


  1. Austin
    Posted July 1, 2010 at 11:03 am | Permalink

    I tried this out of curiosity on a few apps. One of them when viewing the XML, it didn’t show ANY permissions. Then, when using Android to install, it suddenly asked me for numerous permissions. Can you explain?

  2. Mikle
    Posted July 22, 2010 at 8:54 am | Permalink

    Won't that make the programs crash / force close / something worse though?

  3. Krom
    Posted August 15, 2010 at 4:37 am | Permalink

    Works for some apps, some refuse to install afterwards.
    Anyway, best solution i’ve found so far, thank you!

3 Trackbacks

  1. [...] This post was mentioned on Twitter by Chris Gates and Gal Shpantzer, umbrajoe. umbrajoe said: RT @carnal0wnage: [SharedReader] Lock down your Android APK permissions [...]

  2. [...] [...]

  3. [...] time ago, I read Lock down your Android APK permissions by benn from Intrepidus [...]


This site is protected with Urban Giraffe's plugin 'HTML Purified' and Edward Z. Yang's Powered by HTML Purifier. 24798 items have been purified.