Android application structure
Hybrid applications
Perfect — below are individual tables, one per framework, each describing exactly what the files/folders are and why they matter during security analysis.
Apache Cordova / PhoneGap
assets/www/
Contains all HTML, JavaScript, CSS of the hybrid web app.
Hardcoded API keys, business logic exposure, insecure JS.
config.xml
Main Cordova configuration (plugins, navigation, whitelist).
Overly broad allow-navigation, insecure preferences.
plugins/
Native Android code for Cordova plugins.
Plugins may expose camera, filesystem, contacts, etc.
res/xml/config.xml
Cordova whitelist / network access config.
Incorrect whitelisting may allow loading remote code.
Ionic (Cordova-Based Ionic)
assets/www/build/*.js
Minified Angular/Ionic compiled logic.
Contains full app logic, endpoints, secrets.
assets/www/index.html
Entry point for Ionic/Cordova WebView.
May include CSP, external script loads.
config.xml
Cordova whitelist + plugin config.
Can weaken WebView restrictions.
plugins/
Same plugin folder as standard Cordova.
Native surfaces exposed by plugins.
Ionic Capacitor
assets/public/
HTML/JS front-end of the Capacitor app.
Contains business logic, API keys, tokens.
capacitor.config.json
Defines allowed URLs, server configuration, navigation rules.
Misconfigured allowNavigation can load arbitrary domains.
app/src/*
Capacitor plugins and platform runtime.
Custom plugins or modified WebViews can introduce issues.
React Native
index.android.bundle
Entire JS application logic bundled into one file.
API endpoints, tokens, feature flags, business logic exposed.
lib/arm*/libreactnativejni.so
Native RN bridge implementing JavaScript→Android bindings.
Native modules may include sensitive features.
smali*/
Decompiled Java/Kotlin: networking, TLS, debug flags, WebView use (if any).
Certificate pinning, TLS configs, debug logs often found here.
Use hermes-dec to decompile the bundle:
Flutter
lib/arm*/libapp.so
Compiled AOT Dart code. Contains the entire business logic.
Secrets hardcoded here, reverse engineering possible.
assets/flutter_assets/
Static assets, JSON configs, translations.
May expose API routes, config settings.
smali*/
Native host app code and WebView/TLS logic.
WebView misuse, mixed content, network security bypass.
Custom WebViews
If Flutter uses hybrid mode.
Insecure WebView configuration risks.
Xamarin / MAUI (C# Hybrid Apps)
assemblies/*.dll
Entire application logic compiled as .NET assemblies.
DLLs easily decompiled → secrets, logic exposed.
assets/
WebView assets for hybrid interfaces.
Web content may contain vulnerable JS.
lib/arm*/libmonosgen*.so
Xamarin/Mono runtime.
Not usually sensitive but indicates runtime behavior.
smali*/
Small amount of auto-generated Android glue code.
Look for TLS bypass, custom trust managers.
NativeScript
assets/app/*
JavaScript business logic for NativeScript.
Critical logic, API keys, endpoints stored here.
Native Android plugins
Implemented via Java/Kotlin.
Camera, filesystem, network, sensors exposed natively.
smali*/
NativeScript bootstrap and plugin implementations.
TLS/networking, permission handling.
Crosswalk / Intel XDK (Deprecated Cordova Variants)
assets/www/
The Cordova web application.
Same risks as standard Cordova — inspect JS.
assets/xwalk_core/
Crosswalk runtime and config.
Outdated WebView engine (security risk).
lib/arm*/libxwalkcore.so
Embedded Crosswalk WebView engine.
Missing modern security features (CSP, modern TLS).
PWA / TWA Hybrid Wrapper
res/raw/asset_statements.json
Digital asset links for domain verification.
Incorrect config breaks origin validation.
manifest.json
PWA metadata (icons, scope, etc.).
Scope restrictions control what URLs the app can open.
assets/
Sometimes includes cached PWA files.
Rarely sensitive but sometimes contains service worker code.
Last updated