# Android application structure ![](https://3928478158-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhjMjdRXwO33Lfo7uCpl6%2Fuploads%2Fgit-blob-8c5d6ef24ae54759175052b237351dccf0432770%2Fmapt.png?alt=media) ## Android layers ![](https://3928478158-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhjMjdRXwO33Lfo7uCpl6%2Fuploads%2Fgit-blob-6efc0e5b45af4fd3290b78b6cf1bb266527b599a%2Fandroid-app-layers.png?alt=media) ## Native applications ```bash app.apk ├── AndroidManifest.xml ├── classes.dex ├── classes2.dex (if multidex) ├── lib/ │ ├── arm64-v8a/*.so │ ├── armeabi-v7a/*.so │ └── x86_64/*.so ├── res/ ├── assets/ ├── resources.arsc └── META-INF/ ``` | **File / Dir** | **Purpose** | **Format** | **Notes** | | --------------------- | ------------------- | ------------ | ------------------------- | | `AndroidManifest.xml` | App declaration | Binary XML | Entry points, permissions | | `classes.dex` | App bytecode | DEX | Java/Kotlin compiled | | `classesN.dex` | Additional bytecode | DEX | Multidex | | `lib/` | Native libraries | ELF `.so` | ABI-specific | | `res/` | UI resources | XML / binary | Compiled at build | | `assets/` | Raw files | Arbitrary | No compilation | | `resources.arsc` | Resource table | Binary | ID mapping | | `META-INF/` | Signatures | PKCS7 | App verification | ### Core Android application components | **Component** | **Purpose** | **Has UI** | **Lifecycle Managed** | **Typical Use** | | ----------------- | --------------- | ---------- | --------------------- | ---------------- | | Activity | Screen / UI | Yes | Yes | User interaction | | Service | Background work | No | Yes | Sync, playback | | BroadcastReceiver | Event listener | No | Short-lived | System events | | ContentProvider | Data sharing | No | Yes | DB access | ### Android Runtime | **Feature** | **Description** | **Impact** | | ------------------ | -------------------- | ------------- | | DEX Execution | Runs bytecode | Fast startup | | AOT Compilation | Precompiled code | Performance | | JIT Compilation | Runtime optimization | Hot paths | | Garbage Collection | Memory management | Prevent leaks | | Sandbox | Per-UID isolation | Security | ## Hybrid applications ### Apache Cordova / PhoneGap | File / Folder | Description | Security Relevance | | -------------------- | ------------------------------------------------------------ | --------------------------------------------------------- | | `assets/www/` | Contains all HTML, JavaScript, CSS of the hybrid web app. | Hardcoded API keys, business logic exposure, insecure JS. | | `config.xml` | Main Cordova configuration (plugins, navigation, whitelist). | Overly broad `allow-navigation`, insecure preferences. | | `plugins/` | Native Android code for Cordova plugins. | Plugins may expose camera, filesystem, contacts, etc. | | `res/xml/config.xml` | Cordova whitelist / network access config. | Incorrect whitelisting may allow loading remote code. | ### Ionic (Cordova-Based Ionic) | File / Folder | Description | Security Relevance | | ----------------------- | --------------------------------------- | -------------------------------------------- | | `assets/www/build/*.js` | Minified Angular/Ionic compiled logic. | Contains full app logic, endpoints, secrets. | | `assets/www/index.html` | Entry point for Ionic/Cordova WebView. | May include CSP, external script loads. | | `config.xml` | Cordova whitelist + plugin config. | Can weaken WebView restrictions. | | `plugins/` | Same plugin folder as standard Cordova. | Native surfaces exposed by plugins. | ### Ionic Capacitor | File / Folder | Description | Security Relevance | | ----------------------- | ------------------------------------------------------------- | --------------------------------------------------------- | | `assets/public/` | HTML/JS front-end of the Capacitor app. | Contains business logic, API keys, tokens. | | `capacitor.config.json` | Defines allowed URLs, server configuration, navigation rules. | Misconfigured allowNavigation can load arbitrary domains. | | `app/src/*` | Capacitor plugins and platform runtime. | Custom plugins or modified WebViews can introduce issues. | ### React Native | File / Folder | Description | Security Relevance | | ------------------------------- | --------------------------------------------------------------------------- | -------------------------------------------------------------- | | `index.android.bundle` | Entire JS application logic bundled into one file. | API endpoints, tokens, feature flags, business logic exposed. | | `lib/arm*/libreactnativejni.so` | Native RN bridge implementing JavaScript→Android bindings. | Native modules may include sensitive features. | | `smali*/` | Decompiled Java/Kotlin: networking, TLS, debug flags, WebView use (if any). | Certificate pinning, TLS configs, debug logs often found here. | Use [hermes-dec](https://github.com/P1sec/hermes-dec) to decompile the bundle: ```bash hbc-decompiler index.android.bundle my_output_file.js ``` ### Flutter | File / Folder | Description | Security Relevance | | ------------------------ | ----------------------------------------------------------- | ------------------------------------------------------- | | `lib/arm*/libapp.so` | Compiled AOT Dart code. Contains the entire business logic. | Secrets hardcoded here, reverse engineering possible. | | `assets/flutter_assets/` | Static assets, JSON configs, translations. | May expose API routes, config settings. | | `smali*/` | Native host app code and WebView/TLS logic. | WebView misuse, mixed content, network security bypass. | | Custom WebViews | If Flutter uses hybrid mode. | Insecure WebView configuration risks. | ### Xamarin / MAUI (C# Hybrid Apps) | File / Folder | Description | Security Relevance | | --------------------------------------- | --------------------------------------------------------------------------------------------------------- | ----------------------------------------------------- | | `assemblies/*.dll` | Entire application logic compiled as .NET assemblies. | DLLs easily decompiled → secrets, logic exposed. | | `assets/` | WebView assets for hybrid interfaces. | Web content may contain vulnerable JS. | | `lib/arm*/libmonosgen*.so` | Xamarin/Mono runtime. | Not usually sensitive but indicates runtime behavior. | | `smali*/` | Small amount of auto-generated Android glue code. | Look for TLS bypass, custom trust managers. | | `lib/arm*/libassemblies..blob.so` | The key ELF file containing all .NET libraries for the arm64-v8a architecture. | | | `lib/arm*/libmonosgen-2.0.so` | The Mono engine, responsible for running .NET code on Android. | | | `lib/arm*/libaot-*.so` | Files related to Ahead-of-Time (AOT) compilation, i.e., precompiled native code for improved performance. | | * Use [pymauistore](https://github.com/mwalkowski/pymauistore) to extract and decompress .NET DLL assemblies embedded within `.so` ELF files (`libassemblies..blob.so`) generated by .NET MAUI 9 for Android applications. * Navigate DLL assemblies using one of the following tools: * [dotPeek](https://www.jetbrains.com/decompiler/) * [dnSpy](https://dnspy.org/) ### NativeScript | File / Folder | Description | Security Relevance | | ---------------------- | -------------------------------------------------- | ------------------------------------------------------ | | `assets/app/*` | JavaScript business logic for NativeScript. | Critical logic, API keys, endpoints stored here. | | Native Android plugins | Implemented via Java/Kotlin. | Camera, filesystem, network, sensors exposed natively. | | `smali*/` | NativeScript bootstrap and plugin implementations. | TLS/networking, permission handling. | ### Crosswalk / Intel XDK (Deprecated Cordova Variants) | File / Folder | Description | Security Relevance | | -------------------------- | ---------------------------------- | --------------------------------------------------- | | `assets/www/` | The Cordova web application. | Same risks as standard Cordova — inspect JS. | | `assets/xwalk_core/` | Crosswalk runtime and config. | Outdated WebView engine (security risk). | | `lib/arm*/libxwalkcore.so` | Embedded Crosswalk WebView engine. | Missing modern security features (CSP, modern TLS). | ### PWA / TWA Hybrid Wrapper | File / Folder | Description | Security Relevance | | ------------------------------- | -------------------------------------------- | ------------------------------------------------------------ | | `res/raw/asset_statements.json` | Digital asset links for domain verification. | Incorrect config breaks origin validation. | | `manifest.json` | PWA metadata (icons, scope, etc.). | Scope restrictions control what URLs the app can open. | | `assets/` | Sometimes includes cached PWA files. | Rarely sensitive but sometimes contains service worker code. |