Android App Flow & Directory Structure

đź“ŤApplication Journey

  1. Code (Java/Kotlin + libraries + resources) + compile ⇒ DEX

  2. DEX + build ⇒ APK

  3. APK + Signed ⇒ signed APK

  4. signed APK + Google Play ⇒ installed on the user device.

đź“ŤImportant directories

The directories listed below are the most important in an Android device and are worth being aware of.

  1. /data/data/

    • Contains all the applications that the user installs.

    • Contains private data for each installed application.

    • Inspect for sensitive information like credentials, tokens, and configuration files.

  2. /data/user/0/

    • Contains data that only the app can access.

    • Focus on subdirectories such as:

      • shared_prefs/: XML files storing SharedPreferences, which may contain unencrypted sensitive data.

      • databases/: SQLite databases that might store user information or application data.

      • cache/: Temporary files that could expose sensitive information.

  3. /data/app/

    • Stores APK files of installed applications.

    • Useful for static analysis and reverse engineering.

  4. /system/app/ and /system/priv-app/

    • Contain pre-installed system applications.

    • Assess for potential vulnerabilities in system apps.

  5. /sdcard/ or /storage/emulated/0/

    • Represents external storage accessible by users and apps.

    • Contains a symbolic link to the directories DCIM, Downloads, Music, Pictures, etc.

    • Check for exposed sensitive files, backups, or logs.

  6. /data/misc/wifi/

    • Stores Wi-Fi configurations, including saved networks and passwords.

    • Analyze for potential leakage of network credentials.

  7. /etc/

    • Contains system-wide configuration files.

    • Review for misconfigurations or exposed credentials.

  8. /proc/

    • Provides runtime system information.

    • Useful for monitoring processes and system behavior during dynamic analysis.

  9. /dev/

    • Contains device nodes.

    • Investigate for unauthorized access to device interfaces.

  10. /data/local/tmp/

    • A world-writable directory often used for temporary storage.

    • Can be exploited to drop and execute malicious files.

  11. /data/misc/user/0/cacerts-added

    • User certificate store. It contains certificates added by the user.

  12. /etc/security/cacerts/

    • System certificate store. Permission to non-root users is not permitted.

PreviousAndroid ArchitectureNextAndroid Security Model

Last updated