LAB - Understanding the iOS Platform

Inadequate Privacy Controls

In this lab environment, you will get access to a Debian machine, which has all the required tools installed on it for this lab, along with an Android emulator. To start the Android emulator, run the "startemulator.sh" script present at "/root/Desktop."

Objective: To analyze and differentiate between necessary and excessive permissions in a menu app to assess potential privacy risks.

The following Android application can be useful:

• foodies.apk: A demo menu (restaurant) app (Pre-installed on the emulator).

Tools

• adb: Android Debug Bridge is a versatile command-line tool that allows developers and users to interact with Android devices and emulators. It's part of the Android SDK Platform-Tools package and provides a range of functionalities for debugging, testing, and managing Android devices.

• Jadx: Jadx is a popular open-source tool used for decompiling and analyzing Android application packages (APKs). It allows developers and security researchers to reverse-engineer APK files to understand their inner workings, extract resources such as source code, images, and other assets, and analyze the app's behavior.

---

Basic Analize

First we need start the Android Emulator

cd /root/Desktop
./startemulator.sh

Now we need search into the mobile phone the app to audit with name: Foodies

Now, we open this app and analize the functionality, observe this app solicite us the cam, gps, audio, calendar, phone calls and SMS pemissions

After we've granted permissions, we can see that it's a demo menu app in which the user can select products to order. Select few items and click on "ORDER NOW" button.-->

Extract adb Packects - APK

1. Search the install package of the app "Foddies" into the emulate

adb shell pm list packages -f "foodies"

adb shell : open a shell into the android emulator

pm list packages -f : list all packages install

"foddies" : filter by name

Now, extract the APK file into emulator into us PC -->

adb pull /data/app/~~8OwxUFHEPiFvMY755MLmeg==/com.example.foodies-zzYZRENkYLpy0ZuZMnPfPA==/base.apk ./

Examine APK with Jadx-gui

Now we can use jadx-gui to examine te content about this APK

jadx-gui base.apk

Now navigate to the "Resources" > "AndroidManifest.xml" file

Here we can see the list of permissions that the app is requesting. Let's examine these permissions and classify them as "essential", "optional" and "irrelevant" permissions.

The table below outlines the various permissions requested by the menu app, along with their justifications and relevance. By analyzing each permission, we can determine whether it is genuinely required for the app’s functionality or if it represents an unnecessary or excessive access request. This classification helps in identifying which permissions are essential and optional and which are irrelevant or privacy-invasive in the context of a food-related application.

Summary Table:

Permission	Justification	Notes
ACCESS_COARSE_LOCATION	Yes	Location-based services.
ACCESS_FINE_LOCATION	Yes	More accurate location-based services.
READ_CONTACTS	Maybe	If inviting/sharing with contacts. Should be optional.
RECORD_AUDIO	Maybe	For voice interaction. Should be optional.
CALL_PHONE	No	Risky unless explicitly calling restaurants.
CAMERA	Maybe	If used for QR scanning/photos. Should be justified in app UX.
SEND_SMS / READ_SMS	No	High-risk. OTPs better handled by SMS Retriever API or Firebase Auth.
BLUETOOTH	No	Irrelevant unless there's a unique feature involving beacons/devices.
READ_CALENDAR	No	Highly suspicious; no food app needs calendar access.

Now, let's continue our analysis by navigating to "Source code" > "com" > "example.foodies" > "MainActivity"

Here, we observe that the app defines an array named requiredPermissions, which includes several irrelevant Android permissions

These permissions at runtime using the ActivityCompat.requestPermissions() method within the checkPermissions() function.

Conclusion

In this case, a food menu app, and distinguish between those that are essential for core functionality and those that pose unnecessary privacy risks. This exercise reinforced the importance of applying the principle of least privilege in mobile app development, where apps should only request permissions that are absolutely necessary and always provide users with transparency and control over their data.