Android application structure
Android layers
Native applications
File / Dir
Purpose
Format
Notes
AndroidManifest.xml
App declaration
Binary XML
Entry points, permissions
classes.dex
App bytecode
DEX
Java/Kotlin compiled
classesN.dex
Additional bytecode
DEX
Multidex
lib/
Native libraries
ELF .so
ABI-specific
res/
UI resources
XML / binary
Compiled at build
assets/
Raw files
Arbitrary
No compilation
resources.arsc
Resource table
Binary
ID mapping
META-INF/
Signatures
PKCS7
App verification
Core Android application components
Component
Purpose
Has UI
Lifecycle Managed
Typical Use
Activity
Screen / UI
Yes
Yes
User interaction
Service
Background work
No
Yes
Sync, playback
BroadcastReceiver
Event listener
No
Short-lived
System events
ContentProvider
Data sharing
No
Yes
DB access
Android Runtime
Feature
Description
Impact
DEX Execution
Runs bytecode
Fast startup
AOT Compilation
Precompiled code
Performance
JIT Compilation
Runtime optimization
Hot paths
Garbage Collection
Memory management
Prevent leaks
Sandbox
Per-UID isolation
Security
Hybrid applications
Apache Cordova / PhoneGap
assets/www/
Contains all HTML, JavaScript, CSS of the hybrid web app.
Hardcoded API keys, business logic exposure, insecure JS.
config.xml
Main Cordova configuration (plugins, navigation, whitelist).
Overly broad allow-navigation, insecure preferences.
plugins/
Native Android code for Cordova plugins.
Plugins may expose camera, filesystem, contacts, etc.
res/xml/config.xml
Cordova whitelist / network access config.
Incorrect whitelisting may allow loading remote code.
Ionic (Cordova-Based Ionic)
assets/www/build/*.js
Minified Angular/Ionic compiled logic.
Contains full app logic, endpoints, secrets.
assets/www/index.html
Entry point for Ionic/Cordova WebView.
May include CSP, external script loads.
config.xml
Cordova whitelist + plugin config.
Can weaken WebView restrictions.
plugins/
Same plugin folder as standard Cordova.
Native surfaces exposed by plugins.
Ionic Capacitor
assets/public/
HTML/JS front-end of the Capacitor app.
Contains business logic, API keys, tokens.
capacitor.config.json
Defines allowed URLs, server configuration, navigation rules.
Misconfigured allowNavigation can load arbitrary domains.
app/src/*
Capacitor plugins and platform runtime.
Custom plugins or modified WebViews can introduce issues.
React Native
index.android.bundle
Entire JS application logic bundled into one file.
API endpoints, tokens, feature flags, business logic exposed.
lib/arm*/libreactnativejni.so
Native RN bridge implementing JavaScript→Android bindings.
Native modules may include sensitive features.
smali*/
Decompiled Java/Kotlin: networking, TLS, debug flags, WebView use (if any).
Certificate pinning, TLS configs, debug logs often found here.
Use hermes-dec to decompile the bundle:
Flutter
lib/arm*/libapp.so
Compiled AOT Dart code. Contains the entire business logic.
Secrets hardcoded here, reverse engineering possible.
assets/flutter_assets/
Static assets, JSON configs, translations.
May expose API routes, config settings.
smali*/
Native host app code and WebView/TLS logic.
WebView misuse, mixed content, network security bypass.
Custom WebViews
If Flutter uses hybrid mode.
Insecure WebView configuration risks.
Xamarin / MAUI (C# Hybrid Apps)
assemblies/*.dll
Entire application logic compiled as .NET assemblies.
DLLs easily decompiled → secrets, logic exposed.
assets/
WebView assets for hybrid interfaces.
Web content may contain vulnerable JS.
lib/arm*/libmonosgen*.so
Xamarin/Mono runtime.
Not usually sensitive but indicates runtime behavior.
smali*/
Small amount of auto-generated Android glue code.
Look for TLS bypass, custom trust managers.
lib/arm*/libassemblies.<arch>.blob.so
The key ELF file containing all .NET libraries for the arm64-v8a architecture.
lib/arm*/libmonosgen-2.0.so
The Mono engine, responsible for running .NET code on Android.
lib/arm*/libaot-*.so
Files related to Ahead-of-Time (AOT) compilation, i.e., precompiled native code for improved performance.
Use pymauistore to extract and decompress .NET DLL assemblies embedded within
.soELF files (libassemblies.<arch>.blob.so) generated by .NET MAUI 9 for Android applications.
NativeScript
assets/app/*
JavaScript business logic for NativeScript.
Critical logic, API keys, endpoints stored here.
Native Android plugins
Implemented via Java/Kotlin.
Camera, filesystem, network, sensors exposed natively.
smali*/
NativeScript bootstrap and plugin implementations.
TLS/networking, permission handling.
Crosswalk / Intel XDK (Deprecated Cordova Variants)
assets/www/
The Cordova web application.
Same risks as standard Cordova — inspect JS.
assets/xwalk_core/
Crosswalk runtime and config.
Outdated WebView engine (security risk).
lib/arm*/libxwalkcore.so
Embedded Crosswalk WebView engine.
Missing modern security features (CSP, modern TLS).
PWA / TWA Hybrid Wrapper
res/raw/asset_statements.json
Digital asset links for domain verification.
Incorrect config breaks origin validation.
manifest.json
PWA metadata (icons, scope, etc.).
Scope restrictions control what URLs the app can open.
assets/
Sometimes includes cached PWA files.
Rarely sensitive but sometimes contains service worker code.
Last updated