We’re running a funding campaign for App Manager for a limited period. learn more...
App Manager
Руководство пользователя
v3.0.0-alpha02
21 апреля 2022
Copyright © 2020–2022 Muntashir Al-Islam
“Мудро и медленно; они спотыкаются, что бегают быстро.” — Брат Лоуренс, Ромео и Джульетта
App Manager это продвинутый менеджер приложений для Android. Оно
предоставляет несчётное количество возможностей, следовательно, требует
руководство потльзователя чтобы помочь пользователям. Этот документ
действует как ркуоводство пользователя для App Manager в том смысле, что
оно направлено на описание каждой возможности которую App Manager
предоставляет. Этот документ так же действует как “официальные”
методические рекомендации для App Manager, и представляет ожидаемое
поведение App Manager. Переводы могут неверно истолковывать этот
документ (который написан на английском языке). Поэтому каждый
понимающий андгийский язык пользователь должен прочитать версию на
андгийском языке для лучшего понимания App Manager. Здесь так же могут
быть другие неофициальные или сторонние ресурсы тикое как сообщения
блога, видео, чаты и т.п. Хотя эти ресурсы могут быть полезны для многих
людей, они могут быть устаревшими для текущей версии App Manager. Если
замечены какие-либо отличия между App Manager и этом документом, о них
следует сообщать в App Manager
issue tracker. AM — Краткое название App Manager. Block/Unblock — Используется для
блокировки/разблокировки компонентов. Способ блокировки компонентов
зависит от пользовательских настроек. IFW — Краткая форма Intent Firewall. Ops — Краткое название для операций, таких как
операции приложения, пакетные операции, операции в 1 клик SSAID — Краткая форма
Трекер — Обозначает компоненты трекера во всем
документе и в App Manager за исключением scanner page. Трекеры включают в себя
библиотеки для отправки краш-репортов, аналитики, профилирования,
идентификации, рекламы, местоположения и т.п.. Таким образом, они не
одинаковые по функциям. Здесь нет различия между библиотек с открытым и
закрытым исходным кодом, которые продвикают трекинг. Сейчас поддерживаемые версии это v2.6.0 (стабильная), v3.0.0 (альфа
релизы). Предыдущие версии App Manager могут содержать уязвимости
безопасности и не должны быть использованы. App Manager распостранятся используя следующий источники.
Неофициальные источники могут распостранять модифицированную версию App
Manager, и никто, кроме вас, не несет ответственности за последствия
использования таких дистрибутивов. Офисиальный репозиторий F-Droid.1 GitHub репозиторий. Телеграм. Все, кроме GitHub, являются зеркальными ссылками. Теги всегда должны
быть актуальными, но не гарантируется, что master-ветка будет
актуальной. Если цель состоит в том, чтобы клонировать master-ветку,
используйте ссылку GitHub вместо других. App Manager не поддерживает переводы напрямую через pull/merge
запросы. Переводы управляются автоматически через Weblate. Чтобы
присоединиться к команде перевода, посетите https://hosted.weblate.org/engage/app-manager/. Есть несколько способов, которыми пользователь может внести свой
вклад, такие как создание полезных вопросов, посещение дискуссий,
улучшение документаций и переводов, добавление библиотек или трекеров,
просмотр исходного кода, а так же сообщение об уязвимостях
безопасности. Инструкции по сборке доступны в файле BUILDING, расположенном в корне
директории исходного кода. Репозитории, расположенные на сайтах, отличных от GitHub, в настоящее
время считаются зеркалами, и pull/merge запросы, отправленные на этих
сайтах не будут приняты.2 Вместо этого патчи
( Внимание. В случае отправки исправлений по электронной почте вся беседа может
стать общедоступной в будущем. Поэтому не надо включать любую личную
информацию, кроме вашего имени или адреса электронной почты. Donation or purchasing is not a requirement in order to use App
Manager. While App Manager does not support any purchases,
donations can be sent to the owner of App Manager through Open Source
Collective. Open Source Collective is a fiscal host in the Open Collective
platform which helps the open source projects manage their finances. At
present, it supports payments through bank accounts, PayPal, credit or
debit cards and cryptocurrencies. Link: https://opencollective.com/muntashir. By sending donations, the senders agree that they shall not use the
donations as a leverage to prioritise their requested features. Feature
requests do not require any bounties or donations, and they are
prioritised in accordance with the preferences of the owner. App Manager accepts any offers of funding or grants.
Representatives of the interested organization can contact the owner
directly using the options given in §1.6. Muntashir Al-Islam31.1 Терминология
Settings.Secure.ANDROID_ID
. Это идентификатор устройства,
привязанный к каждому приложению (Android Oreo и выше). Он сгенерирован
из комбинации сертификата подписи приложения и SSAID установленного для
пакета android
. Как результат, он гарантированно будет
одинаковым пока пользователь не решит отформатировать устройство. Он
широко используется для слежки.1.2 Поддерживаемые версии
1.3 Официальные источники
1.3.1
Источники
распостранения
Ссылка: https://f-droid.org/packages/io.github.muntashirakon.AppManager
Стабильные релизы: https://github.com/MuntashirAkon/AppManager/releases
Бета релизы: https://github.com/MuntashirAkon/AppManager/actions
Стабильные релизы: https://t.me/AppManagerChannel
Бета релизы: https://t.me/AppManagerDebug1.3.2
Ссылки на исходный код
1.3.3
Переводы
1.4 Вклад
1.4.1
Инструкции по сборке
1.4.2
Отправка исправлений
.patch
файлы) могут быть отправлены через вложения
электронной почты. Требуется подпись. Прочитайте файл
CONTRIBUTING расположенный в корне директории с исходным кодом чтобы
получить больше информации.1.5 Пожертвование &
Финансирование
1.6 Связь
Email: muntashirakon [at]
riseup [dot] net
Key Fingerprint:
7bad37c2981e41f8f6abea7f58f0b4f26c346fce
GitHub: https://github.com/MuntashirAkon
Twitter: https://twitter.com/Muntashir
На главной странице перечислены все установленные, удаленные и резервные копии приложений. Один клик по любому установленному элементу приложения открывает Страницу сведений о приложении. Для удаленных системных приложений отображается диалоговое окно, которое можно использовать для переустановки приложения. Используя сортировку из списка настроек, приложения можно сортировать различными способами. Также есть возможность фильтровать приложения используя фильтр. Возможна фильтрация также через строку поиска с поддержкой регулярных выражений.
На этой странице также доступны пакетные операции или операции с
несколькими приложениями. Режим множественного выбора может быть
активирован кликом на любое приложение или нажав и удерживая любой
элемент в списке. После активации одним нажатием на элемент списка
выбирает его вместо открытия страницы сведений о приложении. В этом
режиме пакетные операции расположены в меню множественного выбора внизу
страницы. Операции включают: Добавление выбранных приложений в профиль Резервное копирование,
восстановление или удаление приложений Блокировка трекеров в приложениях Очистка данных или кэша приложений Включение/отключение/принудительная остановка/удаление
приложений Экспорт правил блокировки, сохранённых в App Manager Предотвращение фоновой работы приложений (Android 7 и
выше) Сохранение файлов APK в Установка политик Доступность. После активации режима множественного выбора можно входить или
выходить из меню с помощью правой или левой клавиши клавиатуры. Светло-серовато-оранжевый (день) /
Тёмно-синий (ночь) – Приложение
выбрано для множественной обработки Светло-красный (день) / Тёмно-красный (ночь) – Приложение
отключено Жёлтый – Отлаживаемое
приложение Оранжевая дата –
Приложение имеет доступ к системным логам Оранжевый UID –
Идентификатор пользователя используется несколькими
приложениями Оранжевый SDK –
Возможно, приложение использует трафик в открытом виде (напр.
HTTP) Красное имя пакета –
Приложение не позволяет очистить свои данные Красный бекап –
Удаленное приложение с одной или несколькими резервными копиями,
присутствующими в App Manager Оранжевыйбекап –
Устаревшая резервная копия, т.е. резервная копия содержит более старую
версия установленного приложения Темно-голубой
бекап – Актуальная резервная копия, т.е. резервная копия
содержит такую же или более позднюю версию установленного
приложения Темно-голубое имя
пакета – Принудительно остановленное приложение Темно-голубая
версия – Неактивное приложение Пурпурный – Постоянное
приложение, т. е. оно остается запущенным все время. Приложение может быть либо пользовательским, либо
системным приложением вместе со следующими
суффиксами: После названия версии следуют следующие префиксы:2.1.1
Пакетные операции
AppManager/apks
2.1.2
Цветовые коды
2.1.3
Типы приложений
X
– Поддерживает несколько архитектур0
– В приложении нет файлов dex°
– Приложение приостановлено#
– Приложение запросило у системы выделение
большого количества оперативной памяти?
– Приложение запросило, чтобы виртуальная машина
находилась в безопасном режиме2.1.4
Информация о версии
_
– Нет аппаратного ускорения~
– Только тестовый режимdebug
– Отлаживаемое приложение
App Details page consists of 11 (eleven) tabs. It
describes almost every bit of information an app can have, including all
attributes from its manifest, application
operations, signing information, libraries, and so on. List of background colours used in this page, and their meaning: Red (day) / dark red
(night) – Denotes any app ops or permissions having the
dangerous flag, or any components blocked within App Manager Light red (day) / very
dark red (night) – Denotes the components disabled outside
of App Manager Note. A component marked as disabled does not always mean that it is
disabled by the user: It could also be disabled by the system or marked
as disabled in its manifest. The components of a disabled application
are also considered disabled by the system (and App Manager). Vivid orange (day) / very dark orange (night) – Denotes
the tracker components Soft magenta (day) / very dark violet (night) – Denotes
the running services. App Info tab contains general information about an
application. It also lists many actions that can be performed within
this tab. The list below is in the same order as listed in the App Info
tab. App Icon. The application icon. If an app
doesn’t have an icon, the system default icon is displayed. App Label. The application label or application
name. Version. Application version is divided into two
parts. The first part is called version name, the format of
this part varies but it often consists of multiple integers separated by
dots. The second part is called version code and it is closed
under first brackets. Version code is an integer which is usually used
to differentiate between app versions (as version name can often be
unreadable by a machine). In general, new version of an app has higher
version code than the old ones. For instance, if Tags. (Also known as tag clouds) Tags include
the basic, concise and most useful info of an app. Tags contain
tracker info (i.e. number of tracker components), app
type (user app or system app and whether the app is an updated
version of the system app or if the app is installed systemless-ly using
Magisk), running (i.e. one or more services of the app is
running in the background), split APK info (i.e. number of
splits), debuggable (the app is a debug version), test
only (the app is a test only app), large heap (the app has
requested a large heap size), stopped (the app is force
stopped), disabled (the app is disabled), KeyStore
(the app has items in the Android KeyStore), no code (the app
doesn’t have any code associated with it), SSAID, netpolicy
(network policy such as background data usage), and battery
optimization. The importance of including test only and
debuggable is that app with these properties can do additional
tasks or these apps can be Horizontal Action Panel. This is an action panel
containing various actions regarding the app. See §2.2.2.2 for a
complete list of actions available here. Paths & Directories. Contains various
information regarding application paths including app directory
(where the APK files are stored), data directories (internal,
device protected and externals), split APK directories (along
with the split names), and native JNI library (if present). JNI
libraries are used to invoke native codes usually written in C/C++. Use
of native library can make the app run faster or help an app use
third-party libraries written using languages other than Java like in
most games. You can also open these directories using your favourite
file managers (provided they support it and have necessary permissions)
by clicking on the launch icon on the right-hand side of each
item. Data Usage Since Last Boot. A rather self
explanatory option. But beware that due to some issues, the results
might often be misleading and simply wrong. This part remains hidden if
Usage Access permission is not granted in newer
devices. Storage & Cache. Displays information
regarding the size of the app (APK files), data and cache. In older
devices, size of external data, cache, media and OBB folders are also
displayed. This part remains hidden if Usage Access permission
is not granted in newer devices. More Info. Displays other information such
as– SDK. Displays information related to the Android
SDK. There are two (one in old devices) values: Max denotes the
target SDK and Min denotes the minimum SDK (the latter is not
available in old devices). It is best practice to use apps with maximum
SDK that the platform currently supports. SDK is also known as
API Level. See also: Android
Version History Flags. The application flags used at the time of
building the app. For a complete list of flags and what they do, visit
the official
documentation. Date Installed. The date when the app was first
installed. Date Updated. The date when the app was last
updated. This is the same as Date Installed if the app hasn’t
been updated. Installer App. The app that installed this app.
Not all app supply the information used by the package manager to
register the installer app. Therefore, this value should not be taken
for granted. User ID. The unique user ID set by the Android
system to the app. For shared applications, same user ID is assigned to
multiple applications that have the same Shared User
ID. Shared User ID. Applicable for applications that
are shared together. Although it says ID, this is actually a string
value. The shared application must have the same signatures. Main Activity. The main entry point to the app.
This is only visible if the app has activities and any of those are
openable from the Launcher. There’s also a launch button on the
right-hand side which can be used to launch this activity. Horizontal Action Panel, as described in the previous section,
consists of various app-related actions, such as– Launch. Application that has a launcher activities can be launched using this
button. Disable. Disable an app. This button is not
displayed for already disabled apps or to users who do not have root or
ADB. If you disable an app, the app will
not be displayed in your Launcher app. Shortcuts for the app will also
be removed. If you disable a user app, you can only enable them via App
Manager or any other tool that supports it. There isn’t any option in
Android Settings to enable a disabled user app. Uninstall. Uninstall an app. Enable. Enable an app. This button is not
displayed for already enabled apps or to users who do not have root or
ADB. Force Stop. Force-stop an app. When you force
stop an app, the app will not be able to run in background unless you
explicitly open it first. However, this is not always true. Clear Data. Clear data from an app. This
includes any information stored in the internal and often the external
directories, including accounts (if set by the app), cache, etc.
Clearing data from App Manager, for example, removes all the rules (the
blocking is not removed though) saved within the app. Which is why you
should always take backups of your rules. This button is not displayed
to users who do not have root or ADB. Clear Cache. Clear app cache only. There is not
any Android-way to clear app cache. Therefore, it needs root permission
to clear cache from the app’s internal storage. Install. Install an APK opened using any
third-party app. This button is only displayed for an external APK that
hasn’t been installed. What’s New. This button is displayed for an APK
that has higher version code than the installed one. Clicking on this
button displays a dialog consisting of differences in a version control
manner. The information it displays include version,
trackers, permissions, components,
signatures (checksum changes), features, shared
libraries and SDK. Update. Displayed for an app that has a higher
version code than the installed app. Reinstall. Displayed for an app that has the
same version code as the installed app. Downgrade. Displayed for an app that has a lower
version code than the installed app. Manifest. Clicking on this button displays the
app’s manifest file in a separate page. The manifest file can be wrapped
or unwrapped using the corresponding toggle button (on the top-right
side) or can be saved to you shared storage using the save
button. Scanner. Clicking on this button displays the
app’s tracker and library information. At first, it scans the app to
extract a list of classes. Then the class list is matched with a number
of signatures. After that, a scan summary is displayed. See also: Scanner
page Shared Prefs. Clicking on this button displays a
list of shared preferences used by the app. Clicking on a preference
item in the list opens the Shared Preferences Editor
page. This option is only visible to the root users. Databases. Clicking on this button displays a
list of databases used by the app. This needs more improvements, and a
database editor which might be added in the future. This option is only
visible to the root users. F-Droid. Opens the app in your favourite
F-Droid client. Store. Opens the app in Aurora Store.
The option is only visible if Aurora Store is
installed. By default, Termux does not allow running commands from third-party
applications. To enable this option, you have to add
Info. Enabling this option does not weaken your Termux’ security. The
third-party apps still need to request the user to allow running
arbitrary commands in Termux like any other dangerous permissions. Activities, Services,
Receivers (originally broadcast receivers) and
Providers (originally Content Providers) are
together called the application components. This is because they share
similar features in many ways. For example, they all have a
name and a label. Application components are the
building blocks of any application, and most of these have to declared
in the application manifest. Application manifest is a file where
application specific metadata are stored. The Android operating system
learns what to do with an app by reading the metadata. Colours used in
these tabs are explained in §2.2.1. You also
have the ability to sort the list of components to display blocked or
tracker components on top of the list using the Sort
option in the overflow menu. Activities are windows or pages that you can browse
(for instance Main page and App Details page are two
separate activities). In other words, an activity is a user interface
(UI) component. Each activity can have multiple UI components known as
widgets or fragments, and similarly, each of these
latter components can have multiple of them nested or on top of each
other. But an activity is the master component: There cannot be
two nested activities. An application author can also choose to open
external files within an activity using a method called intent
filters. When you try to open a file using your file manager,
either your file manager or system scans for intent filters to decide
which activities can open that particular file and offers you to open
the file with these activities (therefore, it is nothing to do with the
application itself). There are other intent filters as well. Activities which are exportable can be usually opened by any
third-party apps (some activities require permissions, if that is the
case, only an app having those permissions can open them). In the
Activities tab, the name of the activity (on top of each list
item) is actually a button. It is enabled for the exportable
activities and disabled for others (root users can open any activities).
You can click on the button to open the activity directly in App
Manager. You can also open the Interceptor page by long clicking on an
activity. Currently, it only works for exportable
activities. Notice. If you are not able to open any activity, chances are it has certain
dependencies which are not met, e.g. you cannot open App Details
Activity because it requires that you at least supply a package
name. These dependencies cannot always be inferred programmatically.
Therefore, you cannot open them using App Manager. You can also create shortcut for these exportable activities
(using the dedicated button), and if you want, you can edit the shortcut
as well using the Edit Shortcut button. Caution. If you uninstall App Manager, all shortcuts created by App Manager
will be lost. Unlike activities which users can
see, Services handle background tasks. If you’re, for
example, downloading a video from the internet using your phone’s
Internet browser, the Internet browser is using a foreground service to
download the content. When you close an activity, it usually gets destroyed immediately
(depending on many factors such as how much free memory your phone has).
But services can be run for indefinite periods if desired. If more
services are running in background, your phone will get slower due to
shortage of memory and/or processing power, and your phone’s battery can
be drained more quickly. Newer Android versions have a battery
optimisation feature enabled by default for all apps. With this feature
enabled, the system can randomly terminate any service. By the way, both activities and services are run in the same looper called the
main looper, which means the services are not really run in the
background. It’s the application authors job to ensure that. How do
application communicate with services? They use broadcast receivers. Receivers (also called broadcast receivers)
can be used to trigger execution of certain tasks for certain events.
These components are called broadcast receivers because they are
executed as soon as a broadcast message is received. These broadcast
messages are sent using a method called intent. Intent is a special
feature for Android which can be used to open applications, activities,
services and send broadcast messages. Therefore, like activities, broadcast receivers use
intent filters to receive only the desired broadcast message(s).
Broadcast messages can be sent by either system or the app itself. When
a broadcast message is sent, the corresponding receivers are awakened by
the system so that they can execute tasks. For example, if you have low
memory, your phone may freeze or experience lags for a moment after you
enable mobile data or connect to the Wifi. Ever wondered why? This is
because broadcast receivers that can receive
‘android.net.conn.CONNECTIVITY_CHANGE‘ are awakened by the system as
soon as you enable data connection. Since many apps use this intent
filter, all of these apps are awakened almost immediately by the system
which causes the freeze or lags. That being said, receivers can be used
for inter-process communication (IPC), i.e., it helps you communicate
between different apps (provided you have the necessary permissions) or
even different components of a single app. Providers (also called content providers)
are used for data management. For example, when you save an apk file or
export rules in App Manager, it uses a content provider called
‘androidx.core.content.FileProvider‘ to save the APK or export the
rules. There are other content providers or even custom ones to manage
various content-related tasks such as database management, tracking,
searching, etc. Each content provider has a field called
Authority which is unique to that particular app in the entire
Android eco-system just like the package name. Unlike non-root users who are mostly spectators in these tabs, root
users can perform various operations. On the right-most side of each component item, there is a “block”
icon (which becomes a “unblock/restore” icon when the component is being
blocked). This icon (actually, a button) can be used to toggle the
blocking status of that particular component. If you do not have Instant Component
Blocking enabled or haven’t applied blocking for the app before, you
have to apply the changes using the Apply rules option
in three-dots menu. You can also remove already applied rules using the
same option (which would be read as Remove rules this
time). See also: FAQ: App
Components You can disable tracker components using the Block
tracker option in the three-dots menu. All tracker components
will be blocked regardless of the tab you’re currently in. Info. Tracker components are a subset of app components. Therefore, they
are blocked using the same method used for blocking any other
components. App Ops, Uses Permissions and
Permissions tabs are related to permissions. In Android
communication between apps or processes which do not have the same
identity (known as shared id) often require permission(s).
These permissions are managed by the permission controller. Some
permissions are considered normal permissions which are granted
automatically if they appear in the application manifest, but
dangerous and development permissions require
confirmation from the user. Colours used in these tabs are explained in
§2.2.1. App Ops stands for Application
Operations. Since Android 4.3, App Ops are used by
Android system to control most of the application permissions. Each app
op has a unique number associated with them which are closed inside
first brackets in the App Ops tab. They also have a private and
optionally, a public name. Some app ops are also associated with
permissions. The dangerousness of an app op is decided based on
the associated permission, and other information such as flags,
permission name, permission description, package
name, group are taken from the associated permission. Other information may
include the following: Mode. It describes the current authorisation
status which can be allow, deny (a rather misnomer, it
simply means error), ignore (it actually means deny),
default (inferred from a list of defaults set internally by the
vendor), foreground (in newer Androids, it means the app op can
only be used when the app is running in foreground), and some custom
modes set by the vendors (MIUI uses ask, for
instance). Duration. The amount of time this app op has
been used (there can be negative durations whose use cases are currently
unknown to me). Accept Time. Last time the app op was
accepted. Reject Time. Last time the app op was
rejected. Info. Contents of this tab are visible to no-root users if
There is a toggle button next to each app op item which can be used
to allow or deny (ignore) the app op. If you need to set other modes
available to your device, simply long click on an item. If you need to
set additional app ops that are not listed in the tab, use the Set
custom app op option in the menu. You can also reset your changes
using the Reset to default option or deny all dangerous app ops
using the corresponding option in the menu. You can also sort them in
ascending order by app op names and the associated unique numbers (or
values). You can also list the denied app ops first using the
corresponding sorting option. Warning. Denying an app op may cause the app to misbehave. Use the reset
to default option if that is the case. Due to the nature how app
ops work, the system may take some time to apply them. See also: Appendix: App
Ops Uses Permissions are the permissions used by the
application. This is named so because they are declared in the manifest
using Root and ADB users can grant or revoke the
dangerous and development permissions using the toggle
button on the right side of each permission item. They can also revoke
dangerous permissions all at once using the corresponding option in the
menu. Only these two types of permissions can be revoked because Android
doesn’t allow modifying normal permissions (which most of them
are). The only alternative is to edit the app manifest and remove these
permissions from there. Info. Since dangerous permissions are revoked by default by the system,
revoking all dangerous permissions is the same as resetting all
permissions. Notice. Permissions cannot be changed for apps targeting API 23 or earlier.
Therefore, permission toggles are disabled for such apps. Users can sort the permissions by permission name (in ascending
order) or choose to display denied or dangerous permissions at first
using the corresponding options in the menu. Permissions are usually custom permissions defined
by the app itself. It could contain regular permissions as well, mostly
in old applications. Here’s a complete description of each item that is
displayed there: Name. Each permission has a unique name like
Icon. Each permission can have a custom icon.
The other permission tabs do not have any icon because they do not
contain any icon in the app manifest. Description. This optional field describes the
permission. If there isn’t any description associated with the
permission, the field is not displayed. Flags. (Uses the flag symbol or
Protection Level name) This describes various
permission flags such as normal, development,
dangerous, instant, granted,
revoked, signature, privileged, etc. Package Name. Denotes the package name
associated with the permission, i.e. the package that defined the
permission. Group. The group name associated with the
permission (if any). Newer Androids do not seem to use group names which
is why you’ll usually see
Signatures are actually called signing info. An
application is signed by one or more signing certificates by the
application developers before publishing it. The integrity of an
application (whether the app is from the actual developer and isn’t
modified by other people) can be checked using the signing info; because
when an app is modified by a third-party unauthorised person, the app
cannot be signed using the original certificate(s) again because the
signing info are kept private by the actual developer. How do you
verify these signatures? Using checksums. Checksums are generated
from the certificates themselves. If the developer supplies the
checksums, you can match the checksums using the different checksums
generated in the Signatures tab. For example, if you
have downloaded App Manager from Github, Telegram Channel or
IzzyOnDroid’s repo, you can verify whether the app is actually released
by me by simply matching the following SHA256 checksum with the
one displayed in this tab: There are three types of checksums displayed there: MD5,
SHA1 and SHA256. Caution. It is recommended that you verify signing info using only
SHA256 checksums or all three of them. DO NOT rely on
MD5 or SHA1 checksums only as they are known to
generate the same results for multiple certificates. Other tabs list android manifest components such as features,
configurations, shared libraries, and signatures. A complete description
about these tabs will be available soon.2.2.1
Colour Codes
2.2.2
App Info Tab
2.2.2.1 General Information
123
and
125
are two version codes of an app, we can say that the
latter is more updated than the former because the version code of the
latter is higher. For applications that depend on platforms (mobile,
tabs, desktops, etc.), these version numbers can be misleading as they
use prefixes for each platform.run-as
without root which can
cause potential security problems if these apps store any private
information. Large heap denotes that the app will be allocated
a higher amount of memory (RAM) if needed. While this may not be harmful
for most cases, any suspicious apps requesting large heap should be
taken seriously.2.2.2.2 Horizontal Action Panel
2.2.2.4 Termux
allow-external-apps=true
in
~/.termux/termux.properties
, and make sure that you are
running Termux v0.96 or later.2.2.3
Component Tabs
2.2.3.1 Activities
2.2.3.2 Services
2.2.3.3 Receivers
2.2.3.4 Providers
2.2.3.5 Additional Features for
Rooted Phones
2.2.3.5.1 Blocking Components
2.2.3.5.2 Blocking Trackers
2.2.4
Permission Tabs
2.2.4.1 App Ops
android.permission.GET_APP_OPS_STATS
is granted via
ADB.2.2.4.2 Uses Permissions
uses-permission
tags. Information such as
flags, permission name, permission
description, package name, group are taken from
the associated permission.2.2.4.3 Permissions
android.permission.INTERNET
but multiple app can request
the permission.android.permission-group.UNDEFINED
or no group name at
all.2.2.5
Signatures Tab
320c0c0fe8cef873f2b554cb88c837f1512589dcced50c5b25c43c04596760ab
2.2.6
Other Tabs
This page appears after clicking on the 1-Click Ops option in the main menu. This option can be used to block or unblock the ad/tracker components
from the installed apps. After you click on this option, you will be
asked to select if AM will list trackers from all apps or only from the
user apps. Novice users should avoid blocking trackers from the system
apps in order to avoid consequences. After that, a multi-choice dialog
box will appear where you can deselect the apps you want to exclude from
this operation. Clicking block or unblock applies the
changes immediately. Notice. Certain apps may not function as expected after applying the
blocking. If that is the case, remove blocking rules all at once or one
by one in the component tabs of the corresponding App Details page. This option can be used to block certain app components denoted by
the signatures. App signature is the full name or partial name of the
components. For safety, it is recommended that you should add a
Caution. If you are not aware of the consequences of blocking app components
by signature(s), you should avoid using this setting as it may result in
boot loop or soft brick, and you may have to apply factory reset in
order to use your OS. This option can be used to configure certain app operations of all or selected apps. You can
insert more than one app op constants separated by spaces. It is not
always possible to know in advance about all the app op constants as
they vary from device to device and from OS to OS. To find the desired
app op constant, browse the App Ops tab in the App Details page. The constants are
integers closed inside brackets next to each app op name. You can also
use the app op names. You also have to select one of the modes that will be applied against the
app ops. Caution. Unless you are well-informed about app ops and the consequences of
blocking them, you should avoid using this feature as it may result in
boot loop or soft brick, and you may have to apply factory reset in
order to use your OS. 1-Click options for back up. As a precaution, it lists the affected
backups before performing any operation. Back up all the installed apps. Back up all the installed apps that have a previous backup. Back up all the installed apps without a previous backup. Verify the recently made backups of the installed apps and redo
backup if necessary. If an app has changed since the last backup, redo backup for it. It
checks a number of indices including app version, last update date, last
launch date, integrity and file hashes. Directory hashes are taken
during the back up and stored in a database. On running this operation,
new hashes are taken and compared with the ones kept in the
database. 1-Click options for restore. As a precaution, it lists the affected
backups before performing any operation. Restore base backup of all the backed up apps. Restore base backup of all the backed up apps that are not
currently installed. Restore base backup of already installed apps whose version
codes are higher than the installed version code.2.3.1
Block/Unblock
Trackers
2.3.2
Block Components…
.
(dot) at the end of each partial signature name as the
algorithm used here chooses all matched components in a greedy manner.
You can insert more than one signature in which case all signatures have
to be separated by spaces. Similar to the option above, there is an
option to apply blocking to system apps as well.2.3.3
Set Mode for App
Ops…
2.3.4
Back up
2.3.4.0.1 Back up all apps.
2.3.4.0.2 Redo existing backups.
2.3.4.0.3 Back up apps without
backups.
2.3.4.0.4 Verify and redo
backups.
2.3.4.0.5 Back up apps with
changes.
2.3.5
Restore
2.3.5.0.1 Restore all apps.
2.3.5.0.2 Restore not installed
apps.
2.3.5.0.3 Restore latest backups.
Profiles page can be accessed from the options-menu in the main page. It displays a list of configured profiles. Profiles can be added using the plus button at the bottom-right corner, imported from the import option, created from one of the presets or even duplicated from an already existing profile. Clicking on any profile opens the profile page.
Profile page displays the configurations for a profile. It also offers editing them.
Notice.
When you apply a profile, if some packages do not match the criteria, they will simply be ignored.
Apps tab lists the packages configured under this profile. Packages can be added or removed using the plus button located near the bottom of the screen. Packages can also be removed by long clicking on them (in which case, a popup will be displayed with the only option delete).
Configurations tab can be used to configure the selected packages.
Description of each item is given below: This is the text that will be displayed in the profiles page. If not set, the current
configurations will be displayed instead. Denotes how certain configured options will behave. For instance, if
disable option is turned on, the apps will be disabled if the
state is on and will be enabled if the state is off.
Currently state only support on and off values. Select users for which is the profile will be applied. All users are
selected by default. This behaves the same way as the Block Components… option does
in the 1-Click Ops page. However, this only applies for the selected
packages. If the state is
on, the components will be blocked, and if the state is
off, the components will be unblocked. The option can be
disabled (regardless of the inserted values) by clicking on the
disabled button on the input dialog. See also: What are the app
components? This behaves the same way as the Set Mode for App Ops…
option does in the 1-Click Ops page. However, this only applies for the
selected packages. If the state
is on, the app ops will be denied (ie. ignored), and if the
state is off, the app ops will be allowed. The option can be
disabled (regardless of the inserted values) by clicking on the
disabled button on the input dialog. This option can be used to grant or revoke certain permissions from
the selected packages. Like others above, permissions must be separated
by spaces. If the state is
on, the permissions will be revoked, and if the state is
off, the permissions will be allowed. The option can be
disabled (regardless of the inserted values) by clicking on the
disabled button on the input dialog. This option can be used to take a backup of the selected apps and its
data or restore them. There two options available there: Backup
options and backup name. Backup options. Same as the backup options of the
backup/restore feature. If not set, the default options will be
used. Backup name. Set a custom name for the backup.
If the backup name is set, each time a backup is made, it will be given
a unique name with backup-name as the suffix. This behaviour will be
fixed in a future release. Leave this field empty for regular or “base”
backup (also, make sure not to enable backup multiple in the
backup options). If the state is on,
the packages will be backed up, and if the state is off, the
packages will be restored. The option can be disabled by clicking on the
disabled button on the input dialog. This option allows you to export blocking rules. Danger. This option is not yet implemented. Enables/disables the selected packages depending on the state. If the state is on,
the packages will be disabled, and if the state is off, the
packages will be enabled. Allows the selected packages to be force-stopped. Enables clearing cache for the selected packages. Enables clearing data for the selected packages. Enables blocking/unblocking of the tracker components from the
selected packages depending on the state. If the state is on,
the trackers will be blocked, and if the state is off, the
trackers will be unblocked. Enables saving APK files at 2.5.3.1 Comment
2.5.3.2 State
2.5.3.3 Users
2.5.3.4 Components
2.5.3.5 App Ops
2.5.3.6 Permissions
2.5.3.7 Backup/Restore
2.5.3.8 Export Blocking Rules
2.5.3.9 Disable
2.5.3.10 Force-stop
2.5.3.11 Clear Cache
2.5.3.12 Clear Data
2.5.3.13 Block Trackers
2.5.3.14 Save APK
AppManager/apks
for the
selected packages.
Settings can be used to customise the behaviour of the app. Configure in-app language. App Manager currently supports 19
(nineteen) languages. Configure in-app theme. Lock App Manager using Android screen lock provided a screen lock is
configured. You can select one of the four options: Auto. Let AM decide the suitable option for you.
Although this is the default option, it may cause problems in some
devices. Root. Select root mode. By default, AM requests
root permission if root is detected but hasn’t been granted. If this
option is selected, AM will run in root mode even if root is unavailable
or denied. This may cause crashes or freezing issues, therefore,
shouldn’t be enabled if root is unavailable. ADB over TCP. Enable ADB over TCP mode. AM may hang indefinitely
if ADB over TCP is not enabled. No-root. AM runs in no-root mode. AM performs
better if this is enabled but all the root/ADB features will be
disabled. Enable or disable certain features in App Manager, such as Interceptor Manifest viewer Scanner Package installer Usage access: With this option turned off, App Manager will never
ask for the Usage Access permission. Log viewer Select the signature
schemes to use. It is recommended that you use at least v1 and v2
signature schemes. Use the Reset to Default button in case
you’re confused. Configure custom signing key for signing APK files. Keys from an
existing KeyStore can be imported to App Manager, or a new key can be
generated. Notice. App Manager maintains a KeyStore where the keys used within the app
are stored. The password for the keystore will be asked when necessary.
Be sure to store the password in a safe place, otherwise the KeyStore
cannot be recovered when necessary. For root/ADB users, a list of users will be displayed before
installing the app. The app will be installed only for the specified
user (or all users if selected). Whether to sign the APK files before installing the app. Visit APK signing section to configure
signing. Choose APK install location. This can be one of auto,
internal only and prefer external. In newer Android
versions, the last option may not always install the app in the external
storage. Select the installer app, useful for some apps which explicitly
checks for their installer. This only works for root/ADB users. Settings related to back
up/restore. Set which compression method to be used during backups. App Manager
supports GZip and BZip2 compression methods, GZip being the default
compression method. It doesn’t affect the restore of an existing
backup. Customise the back up/restore dialog. Allow backup of apps that has entries in the Android KeyStore
(disabled by default). Some apps (such as Signal) may crash if restored.
KeyStore backup also doesn’t work from Android 9 but still kept as many
apps having KeyStore can be restored without problem. Set an encryption method for the backups. App Manager currently
supports OpenPGP (via OpenKeyChain),
AES and RSA (hybrid encryption with AES). Like APK signing, The AES and RSA keys are
stored in the KeyStore and can be imported from other KeyStores. Lets you select the storage where the backups will be stored. Notice. The backup volume only specifies the storage, not the path. Backups
are stored in By default, blocking rules are not applied unless they are applied
explicitly in the App Details page
for any package. Upon enabling this option, all (old and new) rules are
applied immediately for all apps without explicitly enabling blocking
for an app. Notice. Enabling this setting may have some unintended consequences. For
instance, the rules that are not completely removed will be applied
again. So, proceed with caution. This option should be kept disabled if
not required for some reasons. See also: FAQ: What is
instant component blocking? It is possible to import or export blocking rules within App Manager
for all apps. There is a choice to export or import only certain rules
(components, app ops or permissions) instead of all of them. It is also
possible to import blocking rules from Blocker and Watt. If it is necessary to
export blocking rules for a single app, use the corresponding App Details page to export rules, or
for multiple apps, use batch
operations. See also: Rules
Specification Export blocking rules for all apps configured within App Manager.
This may include app
components, app ops and permissions based on the options selected in
the multi-choice options. Import previously exported blocking rules from App Manager. Similar
to export, this may include app components, app ops
and permissions based on the options selected in the multi-choice
options. Add components disabled by other apps to App Manager. App Manager
only keeps track of component disabled within App Manager. If you use
other tools to block app components, you can use this tools to import
these disabled components. Clicking on this option triggers a search for
disabled components and will list apps with components disabled by user.
For safety, all the apps are unselected by default. You can manually
select the apps in the list and re-apply the blocking through App
Manager. Caution. Be careful when using this tool as there can be many false positives.
Choose only the apps that you are certain about. Import configuration files from Watt, each file containing
rules for a single package and file name being the name of the package
with Tip. Location of configuration files in Watt:
Import blocking rules from Blocker, each file
containing rules for a single package. These files have a
One-click option to remove all rules configured within App Manager.
This will enable all blocked components, app ops will be set to their
default values and permissions will be granted. Import or export the KeyStore used by App Manager. This is a Bouncy
Castle KeyStore with Display Android version, security, CPU, GPU, battery, memory, screen,
languages, user info, etc.2.6.1
Language
2.6.2
App Theme
2.6.3
Screen Lock
2.6.4
Mode of Operation
2.6.5
Enable/Disable
Features
2.6.6
APK Signing
2.6.6.1 Signature Schemes
2.6.6.2 Signing Key
2.6.7
Installer
2.6.7.1 Show users in installer
2.6.7.2 Sign APK
2.6.7.3 Install location
2.6.7.4 Installer App
2.6.8
Back up/Restore
2.6.8.1 Compression method
2.6.8.2 Backup Options
2.6.8.3 Backup apps with Android
KeyStore
2.6.8.4 Encryption
2.6.8.5 Backup Volume
AppManager
folder inside the storage path.
This is also where logs and exported APK files are saved.2.6.9
Rules
2.6.9.1 Instant Component
Blocking
2.6.9.2 Import/Export Blocking
Rules
2.6.9.2.1 Export
2.6.9.2.2 Import
2.6.9.2.3 Import Existing Rules
2.6.9.2.4 Import from Watt
.xml
extension./sdcard/Android/data/com.tuyafeng.watt/files/ifw
2.6.9.2.5 Import from Blocker
.json
extension.2.6.9.3 Remove all rules
2.6.10 Import/Export Keystore
bks
extension. Therefore, other
KeyStore such as Java KeyStore (JKS) or PKCS #12 are not supported. If
you need to import a key from these KeyStores, use the relevant options
outlined above.2.6.11 About the device
Scanner page appears after clicking on the scanner button in the App Info tab. External APK files can also be opened for scanning from file managers, web browsers, etc.
It scans for trackers and libraries, and displays the number of trackers and libraries as a summary. It also displays checksums of the APK file as well as the signing certificate(s).
Disclaimer.
AM only scans an app statically without prejudice. The app may provide the options for opting out, or in some cases, certain features of the tracker may not be used at all by the app (e.g. F-Droid), or some apps may simply use them as placeholders to prevent the breaking of certain features (e.g. Fennec F-Droid). The intention of the scanner is to give you an idea about what the APK might contain. It should be taken as an initial step for further investigations.
Clicking on the first item (i.e. number of classes) opens a new page containing a list of tracker classes for the app. All classes can also be viewed by clicking on the Toggle Class Listing menu. A sneak-peek of each class can be viewed by simply clicking on any class item.
Notice.
Due to various limitations, it is not possible to scan all the components of an APK file. This is especially true if an APK is highly obfuscated. The scanner also does not check strings (or website signatures).
The second item lists the number of trackers along with their names. Clicking on the item displays a dialog containing the name of trackers, matched signatures, and the number of classes against each signature. Some tracker names may have 2 prefix which indicates that the trackers are in the ETIP stand-by list i.e. whether they are actual trackers is still being investigated.
The third item lists the number of libraries along with their names. The information are mostly taken from IzzyOnDroid repo.
At the bottom of the page, there is a special item denoting the number of missing signatures (i.e. missing classes). The missing signatures are the ones that AM has failed to match against any known libraries. The number itself has no particular meaning as many libraries contain hundreds of classes, but clicking on the item will bring up a dialog containing the signatures which is helpful in inspecting the missing signatures. This feature is only intended for people who know what a missing signature is and what to do with it, average users should just ignore it.
Interceptor can be used to intercept communication between apps using
Intent
. It works as a man-in-the-middle between the source
and the destination apps. It offers a feature-complete user interface
for editing Intent
s.
Info.
Development of interceptor is still in progress. It can only intercept activities for now.
Warning.
Interceptor only works for implicit intents where the app component isn’t specified.
Intent filters are used by the apps to specify which tasks they are
able to perform or which tasks they are going to perform using other
apps. For example, when you’re opening a PDF file using a file manager,
the file manager will try to find which apps to open the PDF with. To
find the right applications, the file manager will create an Intent with
filters such as MIME type and ask the system to retrieve the matched
applications that is able to open this filter. The system will search
through the Manifest of the installed applications to match the filter
and list the app components that are able to open this filter (in our
case the PDF). At this, either the file manager will open the desired
app component itself or use a system provided option to open it. If
multiple app components are able to open it and no default is set, you
may get a prompt where you have to choose the right app component. Action specifies the generic action to perform such as
Data is originally known as URI (Uniform Resource Identifier) defined
in RFC 2396. It can
be web links, file location, or a special feature called
content. Contents are an Android feature managed by the content providers. Data are often
associated with a MIME type. Examples: MIME type of the data. For example, if
the data field is set to This is similar to action in the
sense that it is also used by the system to filter app components. This
has no further benefits. Unlike action, there can be more than
one category. Clicking on the plus button next to the title
allows adding more categories. Flags are useful in determining how system should behave during the
launch or after the launch of an activity. An average user should avoid
this as it requires some technical background. The plus button
next to the title can be used to add one or more flags. Extras are the key-value pairs used for supplying additional
information to the destination component. You can add extras using the
plus button next to the title. Represents the entire Intent as a URI (e.g. 2.8.1.1 Action
android.intent.action.VIEW
. Applications often declare the
relevant actions in the Manifest file to catch the desired Intents. The
action is particularly useful for broadcast Intent where it plays a
vital rule. In other cases, it works as an initial way to filter out
relevant app components. Generic actions such as
android.intent.action.VIEW
and
android.intent.action.SEND
are widely used by apps. So,
setting this alone may match many app components.2.8.1.2 Data
http://search.disroot.org/?q=URI%20in%20Android%20scheme&categories=general&language=en-US
https://developer.android.com/reference/android/net/Uri
file:///sdcard/AppManager.apk
mailto:email@example.com
content://io.github.muntashirakon.AppManager.provider/23485af89b08d87e898a90c7e/AppManager.apk
2.8.1.3 MIME Type
file:///sdcard/AppManager.apk
, the
associated MIME type can be
application/vnd.android.package-archive
.2.8.1.4 Categories
2.8.1.5 Flags
2.8.1.6 Extras
2.8.1.7 URI
intent://…
).
Some data cannot be converted to string, and as a result, they might not
appear here.
List all the activity components that matches the Intent. This is internally determined by the system (rather than AM). The launch button next to each component can be used to launch them directly from AM.
Reset the Intent to its initial state. This may not always work as expected.
Resend the edited Intent to the destination app. This may open a list of apps where you have to select the desired app. The result received from the target app will be sent to the source app. As a result the source app will not know if there was a man-in-the-middle.
Many root-only features can still be used by enabling ADB over TCP. To do that, a PC or Mac is required with Android platform-tools installed, and an Android phone with developer options & USB debugging enabled.
Root users.
If superuser permission has been granted to App Manager, it can already execute privileged code without any problem. Therefore, root users don’t need to enable ADB over TCP. If you still want to use ADB over TCP, you must revoke superuser permission for App Manager and restart your device. You may see working on ADB mode message without restarting but this isn’t entirely true. The server (used as an interface between system and App Manager) is still running in root mode. This is a known issue and will be fixed in a future version of App Manager.
See also: FAQ: ADB over TCP
Developer options is located in Android Settings, either directly near the bottom of the page (in most ROMs) or under some other settings such as System (Lineage OS, Asus Zenfone 8.0+), System > Advanced (Google Pixel), Additional Settings (Xiaomi MIUI, Oppo ColorOS), More Settings (Vivo FuntouchOS), More (ZTE Nubia). Unlike other options, it is not visible until explicitly enabled by the user. If developer options is enabled, you can use the search box in Android Settings to locate it as well.
This option is available within Android Settings as well but like the location of the developer options, it also differs from device to device. But in general, you have to find Build number (or MIUI version for MIUI ROMs and Software version for Vivo FuntouchOS, Version for Oppo ColorOS) and tap it at least 7 (seven) times until you finally get a message saying You are now a developer (you may be prompted to insert pin/password/pattern or solve captchas at this point). In most devices, it is located at the bottom of the settings page, inside About Phone. But the best way to find it is to use the search box.
After locating the
developer options, enable Developer option (if not
already). After that, scroll down a bit until you will find the option
USB debugging. Use the toggle button on the right hand
side to enable it. At this point, you may get an alert prompt where you
may have to click OK to actually enable it. You may also have
to enable some other options depending on device vendor and ROM. Here
are some examples: Enable USB debugging (security settings) as
well. Enable Allow ADB debugging in charge only mode as
well. When connecting to your PC or Mac, you may get a prompt saying
Allow access to device data? in which case click
YES, ALLOW ACCESS. Notice. Often the USB debugging mode could be disabled
automatically by the system. If that’s the case, repeat the above
procedure. Make sure you have USB tethering enabled. In case USB Debugging is greyed out, you can do the
following: Make sure you enabled USB debugging before connecting your phone
to the PC or Mac via USB cable Enable USB tethering after connecting to PC or Mac via USB
cable (For Samsung) If your device is running KNOX, you may have to
follow some additional steps. See official documentations or consult
support for further assistant3.1.2.1 Xiaomi (MIUI)
3.1.2.2 Huawei (EMUI)
3.1.2.3 LG
3.1.2.4 Troubleshooting
In order to enable ADB over TCP, you have to set up ADB in your PC or
Mac. Lineage OS users can skip to §3.1.4.1. Download the latest version of Android
SDK Platform-Tools for Windows Extract the contents of the zip file into any directory (such as
Open Command Prompt or
PowerShell from this directory. You can do it manually
from the start menu or by holding Download the latest version of Android
SDK Platform-Tools for macOS Extract the contents of the zip file into a directory by clicking
on it. After that, navigate to that directory using Finder and
locate Open Terminal using Launchpad or
Spotlight and drag-and-drop Tip. If you are not afraid to use command line, here’s a one liner: After that, you can simply type Open your favourite terminal emulator. In most GUI-distros, you
can open it by holding Run the following command: If it is successful, you can simply type 3.1.3.1 Windows
C:\adb
) and navigate to that directory using
ExplorerShift
and Right clicking
within the directory in File Explorer and then clicking either
on Open command window here or on Open PowerShell window
here (depending on what you have installed). You can now access ADB
by typing adb
(Command Prompt) or ./adb
(PowerShell). Do not close this window yet3.1.3.2 macOS
adb
adb
from the
Finder window into the Terminal window. Do not close
the Terminal window yetcd ~/Downloads && curl -o platform-tools.zip -L \
&& \
https://dl.google.com/android/repository/platform-tools-latest-darwin.zip unzip platform-tools.zip && rm platform-tools.zip && cd platform-tools
./adb
in the in same
Terminal window to access ADB.3.1.3.3 Linux
Control
, Alter
and
T
at the same timecd ~/Downloads && curl -o platform-tools.zip -L \
&& \
https://dl.google.com/android/repository/platform-tools-latest-linux.zip unzip platform-tools.zip && rm platform-tools.zip && cd platform-tools
./adb
in
the in same terminal emulator window or type
~/Downloads/platform-tools/adb
in any terminal emulator to
access ADB.
Lineage OS (or its derivatives) users can directly enable ADB over TCP using the developer options. To enable that, go to the Developer options, scroll down until you find ADB over Network. Now, use the toggle button on the right-hand side to enable it and skip to §3.1.4.3.
For other ROMs, you can do this using the command
prompt/PowerShell/terminal emulator that you’ve opened in the step 3 of
the previous section. In this section, I will use adb
to
denote ./adb
, adb
or any other command that
you needed to use based on your platform and software in the previous
section.
Connect your device to your PC or Mac using a USB cable. For some devices, it is necessary to turn on File transfer mode (MTP) as well
To confirm that everything is working as expected, type
adb devices
in your terminal. If your device is connected
successfully, you will see something like this:
List of devices attached
xxxxxxxx device
Notice.
In some Android phones, an alert prompt will be appeared with a message Allow USB Debugging in which case, check Always allow from this computer and click Allow.
Finally, run the following command to enable ADB over TCP:
adb tcpip 5555
Danger.
You cannot disable developer options or USB debugging after enabling ADB over TCP.
After enabling ADB over TCP (in the previous subsections), open App Manager (AM). You should see working on ADB mode toast message at the bottom. If not, remove AM from the recents and open AM again from the launcher.
Notice.
In some Android phones, the USB cable is needed to be disconnected from the PC in order for it to work.
Warning.
ADB over TCP will be disabled after a restart. In that case, you have to follow §3.1.4.2 again.
Lineage OS users.
You can turn off ADB over Network in developer options, but turning off this option will also stop App Manager’s remote server. So, turn it off only when you’re not going to use App Manager in ADB over TCP mode.
App Manager has a modern, advanced and easy-to-use backup/restore system implemented from the scratch. This is probably the only app that has the ability to restore not only the app or its data but also permissions and rules that you’ve configured within App Manager. You can also choose to back up an app multiple times (with custom names) or for all users.
Back up/restore is a part of batch
operations. It is also located inside the options menu in the App Info tab. Clicking on
Backup/Restore opens the Backup
Options. Backups are located at
/storage/emulated/0/AppManager
by default. You can
configure custom backup location in the settings page in which case the
backups will be located at the AppManager
folder in the
selected volume.
Note.
If one or more selected apps do not have any backup, the Restore and Delete Backup options will not be displayed.
Backup options (internally known as backup flags) let you customise the backups on the fly. However, the customisations will not be remembered for the future backups. If you want to customise this dialog, use Backup Options in the Settings page.
A complete description of the backup options is given below:
APK files. Whether to back up the APK files.
This includes the base APK file along with the
split APK
files if they exist.
Internal data. Whether to back up the internal
data directories. These directories are located at
/data/user/<user_id>
and (for Android N or later)
/data/user_de/<user_id>
.
External data. Whether to back up data directories located in the internal memory as well as SD Card (if exists). External data directories often contain non-essential app data or media files (instead of using the dedicated media folder) and may increase the backup size. However, it might be essential for some apps. Although it isn’t checked by default (as it might dramatically increase the size of the backups), you may have to check it in order to ensure a smooth restore of your backups.
Caution.
Internal data folders should always be backed up if you are going to back up the external data folders. However, it could be useful to back up only the external folders if the app in question downloads a lot of assets from the Internet.
OBB and media. Whether to back up or restore the OBB and the media directories located in the external storage or the SD Card. This is useful for games and the graphical software which actually use these folders.
Cache. Android apps have multiple cache directories located at every data directories (both internal and external). There are two types of cache: cache and code cache. Enabling this option excludes both cache directories from all the data directories. It is generally advised to exclude cache directories since most apps do not clear the cache regularly (for some reason, the only way an app can clear its cache is by deleting the entire cache directory) and usually handled by the OS itself. Apps such as Telegram may use a very large cache (depending on the storage space) which may dramatically increase the backup size. When it is disabled, AM also ignores the no_backup directories.
Extras. Backup/restore app permissions, net policy, battery optimization, SSAID, etc., enabled by default. Note that, blocking rules are applied after applying the extras. So, if an item is present in both places, it will be overwritten (i.e., the one from the blocking rules will be used).
Rules. This option lets you back up blocking rules configured within App Manager. This might come in handy if you have customised permissions or block some components using App Manager as they will also be backed up or restored when you enable this option.
Backup Multiple. Whether this is a multiple backup. By default, backups are saved using their user ID. Enabling this option allows you to create additional backups. These backups use the current date-time as the default backup name, but you can also specify custom backup name using the input field displayed when you click on the Backup button.
Custom users. Backup or restore for the selected users instead of only the current user. This option is only displayed if the system has more than one user.
Skip signature checks. When taking a backup,
checksum of every file (as well as the signing certificate(s) of the
base APK file) is generated and stored in the checksums.txt
file. When you restore the backup, the checksums are generated again and
are matched with the checksums stored in the said file. Enabling this
option will disable the signature checks. This option is applied only
when you restore a backup. During backup, the checksums are generated
regardless of this option.
Caution.
You should always disable this option to ensure that your backups are not modified by any third-party applications. However, this would only work if you enabled encryption.
See also: Settings: Encryption
Backup respects all the backup options except Skip signature checks. If base backups (i.e., backups that don’t have the Backup Multiple option) already exist, you will get a warning as the backups will be overwritten. If Backup Multiple is set, you have an option to input the backup name, or you can leave it blank to use the current date-time.
Restore respects all the backup options and will fail if APK files option is set, but the backup doesn’t contain such backups or in other cases, if the app isn’t installed. When restoring backups for multiple packages, you can only restore the base backups (see backup section for an explanation). However, when restoring backups for a single package, you have the option to select which backup to restore. If All users option is set, AM will restore the selected backup for all users in the latter case but in the former case, it will restore base backups for the respective users.
Notice.
Apps that use storage access framework (SAF), SSAID or Android KeyStore works properly only after an immediate restart.
Delete backup only respects All users option and when it is selected, only the base backups for all users will be deleted with a prompt. When deleting backups for a single package, another dialog will be displayed where you can select the backups to delete.
Short for Network policy or network policies. It is usually located in the Android settings under Mobile data & Wifi section in the app info page of an app. Not all policies are guaranteed to be included in this page (e.g. Samsung), and not all settings are well-understood due to lack of documentation. App Manager can display all the net policies declared in the NetworkPolicyManager. Policies unknown to App Manager will have a Unknown prefix along with the policy constant name and number in the hexadecimal format. Unknown policies should be reported to App Manager for inclusion.
Net policy allows a user to configure certain networking behaviour of an app without modifying the ip tables directly and/or running a firewall app. However, the features it offers largely depend on Android version and ROM. A list of known net policies are listed below:
None or
POLICY_NONE
: (AOSP) No specific network
policy is set. System can still assign rules depending on the nature of
the app.
Reject background data or
POLICY_REJECT_METERED_BACKGROUND
: (AOSP)
Reject network usage on metered networks when the application is in
background.
Allow background data when Data Saver is on or
POLICY_ALLOW_METERED_BACKGROUND
: (AOSP)
Allow metered network use in the background even when data saving mode
is enabled.
Reject cellular data or
POLICY_REJECT_CELLULAR
(Android 11+) or
POLICY_REJECT_ON_DATA
(up to Android 10):
(Lineage OS) Reject mobile/cellular data. Signals network unavailable to
the configured app as if the mobile data is inactive.
Reject VPN data or
POLICY_REJECT_VPN
(Android 11+) or
POLICY_REJECT_ON_VPN
(up to Android 10):
(Lineage OS) Reject VPN data. Signals network unavailable to the
configured app as if the VPN is inactive.
Reject Wi-Fi data or
POLICY_REJECT_WIFI
(Android 11+) or
POLICY_REJECT_ON_WLAN
(up to Android 10):
(Lineage OS) Reject Wi-Fi data. Signals network unavailable to the
configured app as if the device is not connected to a Wi-Fi
network.
Disable network access or
POLICY_REJECT_ALL
(Android 11+) or
POLICY_NETWORK_ISOLATED
(up to Android
10): (Lineage OS) Reject network access in all circumstances. This is
not the same as enforcing the other three policies above, and is the
recommended policy for dodgy apps. If this policy is enforced, there is
no need to enforce the other policies.
POLICY_ALLOW_METERED_IN_ROAMING
:
(Samsung) Possibly allow metered network use during roaming. Exact
meaning is currently unknown.
POLICY_ALLOW_WHITELIST_IN_ROAMING
:
(Samsung) Possibly allow network use during roaming. Exact meaning is
currently unknown.
Note.
Corresponding Lineage OS patches are as follows:
Activities, services, broadcast receivers (also known as receivers) and content providers (also known as providers) are jointly called app components. More technically, they all inherit the ComponentInfo class.
AM blocks application components (or tracker components) using a method called Intent Firewall (IFW), it is very superior to other methods such as pm (PackageManager), Shizuku or any other method that uses the package manager to enable or disable the components. If a component is disabled by the latter methods, the app itself can detect that the component is being blocked and can re-enable it as it has full access to its own components. (Many deceptive apps actually exploit this in order to keep the tracker components unblocked.) On the other hand, IFW is a true firewall and the app cannot detect if the blocking is present. It also cannot re-enable it by any means. AM uses the term block rather than disable for this reason.
Even IFW has some limitations which are primarily applicable for the system apps:
The app in question is whitelisted by the system i.e. the system cannot function properly without these apps and may cause random crashes. These apps include but not limited to Android System, System UI, Phone Services. They will run even if you disable them or block their components via IFW.
Another system app or system process is calling a specific component of the app in question via interprocess communication (IPC). In this case, the component will be activated regardless of its presence in the IFW rules or even if the entire app is disabled. If you have such system apps, the only way to prevent them from running is to get rid of them.
No. But components blocked by the Android System or any other tools are displayed in the App Details page (within the component tabs). In v2.5.12 and onwards, you can import these rules in Settings. But since there is no way to distinguish between components blocked by third-party apps and components blocked by the System, you should be very careful when choosing app.
AM blocks the components again using Intent Firewall (IFW). They are not unblocked (if blocked using pm or Shizuku method) and blocked again. But if you unblock a component in the App Details page, it will be reverted back to default state —- blocked or unblocked as described in the corresponding app manifest —- using both IFW and pm method. However, components blocked by MyAndroidTools (MAT) with IFW method will not be unblocked by AM. To solve this issue, you can first import the corresponding configuration to AM in Settings in which case MAT’s configurations will be removed. But this option is only available from v2.5.12.
When you block a component in the App Details page, the blocking is not applied by default. It is only applied when you apply blocking using the Apply rules option in the top-right menu. If you enable instant component blocking, blocking will be applied as soon as you block a component. If you choose to block tracker components, however, blocking is applied automatically regardless of this setting. You can also remove blocking for an app by simply clicking on Remove rules in the same menu in the App Details page. Since the default behaviour gives you more control over apps, it is better to keep instant component blocking option disabled.
All app components are classes but not all classes are components. In fact, only a few of the classes are components. That being said, scanner page displays a list of trackers along with the number of classes, not just the components. In all other pages, trackers and tracker components are used synonymously to denote tracker components, i.e. blocking tracker means blocking tracker components, not tracker classes.
Info.
Tracker classes cannot be blocked. They can only be removed by editing the app itself.
Some apps may misbehave due to their dependency to tracker components blocked by AM. From v2.5.12, there is an option to unblock tracker components in the 1-Click Ops page. However, in previous versions, there is no such options. To unblock these tracker components, first go to the App Details page of the misbehaving app. Then, switching to the Activities tab, click on the Remove rules options in the top-right menu. All the blocking rules related to the components of the app will be removed immediately. Alternatively, if you have found the component that is causing the issue, you can unblock the component by clicking on the unblock button next to the component name. If you have enabled instant component blocking in Settings, disable it first as Remove rules option will not be visible when it is enabled.
If you have Google Play Services
(com.google.android.gms
) installed, unblocking the
following services may fix
certain crashes:
Ad Request Broker Service
.ads.AdRequestBrokerService
Cache Broker Service
.ads.cache.CacheBrokerService
Gservices Value Broker Service
.ads.GservicesValueBrokerService
Advertising Id Notification Service
.ads.identifier.service.AdvertisingIdNotificationService
Advertising Id Service
.ads.identifier.service.AdvertisingIdService
Unfortunately, yes. However, as of v2.5.13, you don’t need to keep AoT enabled all the time as it now uses a server-client mechanism to interact with the system, but you do have to keep the Developer options as well as USB debugging enabled. To do that, enable ADB over TCP and open App Manager. You should see working on ADB mode toast message in the bottom. If you see it, you can safely stop the server. For Lineage OS or its derivative OS, you can toggle AoT without any PC or Mac by simply toggling the ADB over network option located just below the USB debugging, but the server can’t be stopped for the latter case.
Sadly, no. ADB has limited permissions and controlling application components is not one of them.
Most of the features supported by ADB mode are enabled by default once ADB support is detected by AM. These include disable, force-stop, clear data, grant/revoke app ops and permissions. You can also install applications without any prompt and view running apps/processes.
Yes. AM cannot modify any system settings without root or ADB over TCP.
AM uses the INTERNET permission for the following reasons:
To provide ADB over TCP support for the non-root
users. ADB over TCP is a custom network protocol that usually
runs on port 5555
. Therefore, to connect to this port via
localhost, AM needs this permission.
To execute privileged code both on root and ADB
mode. AM, being a user app, cannot execute privileged code nor
can it access any hidden APIs. Consequently, AM runs a server in the
privileged environment using app_process
at port
60001
and on the user side, AM connects to this server and
execute privileged code remotely from the app. Now, there are
alternative ways to communicate with a remote service. Currently, they
are under consideration.
Trackers and libraries are updated manually before making a new release.
App Manager’s use of hidden API and privileged code execution is now much more complex and cannot be integrated with other third party apps such as Shizuku. Here are some reasons for not considering Shizuku (which now has Apache 2.0 license) for App Manager:
Shizuku was initially non-free which led me to use a similar approach for App Manager to support both root and ADB
App Manager already supports both ADB and root which in some cases is more capable than Shizuku
Relying on a third-party app for the major functionalities is not a good design choice
Integration of Shizuku will increase the complexity of App Manager.
Bloatware are the unnecessary apps supplied by the vendor or OEM and are usually system apps. These apps are often used to track users and collect user data which they might sell for profits. System apps do not need to request any permission in order to access device info, contacts and messaging data, and other usage info such as your phone usage habits and everything you store on your shared storage(s).
The bloatware may also include Google apps (such as Google Play Services, Google Play Store, Gmail, Google, Messages, Dialer, Contacts), Facebook apps (the Facebook app consists of four or five apps), Facebook Messenger, Instagram, Twitter and many other apps which can also track users and/or collect user data without consent given that they all are system apps. You can disable a few permissions from the Android settings but be aware that Android settings hides almost every permission any security specialist would call potentially dangerous.
If the bloatware were user apps, you could easily uninstall them either from Android settings or AM. Uninstalling system apps is not possible without root permission. You can also uninstall system apps using ADB, but it may not work for all apps. AM can uninstall system apps with root or ADB (the latter with certain limitations, of course), but these methods cannot remove the system apps completely as they are located in the system partition which is a read-only partition. If you have root, you can remount this partition to manually purge these apps but this will break Over the Air (OTA) updates since data in the system partition has been modified. There are two kind of updates, delta (small-size, consisting of only the changes between two versions) and full updates. You can still apply full updates, but the bloatware will be installed again, and consequently, you have to delete them all over again. Besides, not all vendors provide full updates.
Another solution is to disable these apps either from Android settings (no-root) or AM, but certain services can still run in the background as they can be started by other system apps using Inter-process Communication (IPC). One possible solution is to disable all bloatware until the service has finally stopped (after a restart). However, due to heavy modifications of the Android frameworks by the vendors, removing or disabling certain bloatware may cause the System UI to crash or even cause bootloop, thus, (soft) bricking your device. You may search the web or consult the fellow users to find out more about how to debloat your device.
From v2.5.19, AM has a new feature called profiles. The profiles page has an option to create new profiles from one of the presets. The presets consist of debloating profiles which can be used as a starting point to monitor, disable, and remove the bloatware from a proprietary Android operating system.
Note.
In most cases, you cannot completely debloat your device. Therefore, it is recommended that you use a custom ROM free from bloatware such as Graphene OS, Lineage OS or their derivatives.
AM currently supports blocking activities, broadcast receivers, content providers, services, app ops and permissions, and in future I may add more blocking options. In order to add more portability, it is necessary to import/export all these data.
Maintaining a database should be the best choice when it comes to
storing data. For now, several tsv
files with each file
having the name of the package and a .tsv
extension. The
file/database will be queried/processed by the
RulesStorageManager
class. Due to this abstraction, it
should be easier to switch to database or encrypted database systems in
future without changing the design of the entire project. Currently, All
configuration files are stored at
/data/data/io.github.muntashirakon.AppManager/Files/conf
.
The format below is used internally within App Manager and is not compatible with the external format.
<name> <type> <mode>|<component_status>|<is_granted>
Here:
<name>
– Component/permission/app op name (in
case of app op, it could be string or integer)
<type>
– One of the ACTIVITY
,
RECEIVER
, PROVIDER
, SERVICE
,
APP_OP
, PERMISSION
<mode>
– (For app ops) The associated mode constant
<component_status>
– (For components)
Component status
true
– Component has been applied (true
value is kept for compatibility)
false
– Component hasn’t been applied yet, but will
be applied in future (false
value is kept for
compatibility)
unblocked
– Component is scheduled to be
unblocked
<is_granted>
– (For permissions) Whether the
permission is granted or revoked
External format is used for importing or exporting rules in App Manager.
<package_name> <component_name> <type> <mode>|<component_status>|<is_granted>
This the format is essentially the same as above except for the first item which is the name of the package.
Caution.
The exported rules have a different format than the internal one and should not be copied directly to the conf folder.
Back up/restore feature is now finally out of beta! Read the corresponding guide to understand how it works.
Log viewer is essentially a
front-end for logcat
. It can be used to filter logs by
tag or pid (process ID), or even by custom filters.
Log levels AKA verbosity can also be configured. You can also save,
share and manage logs.
Lock App Manager with the screen lock configured for your device.
You can set any mode for any app ops that your device supports, either from the 1-click ops page or from the app ops tab.
You can now easily add selected apps to an existing profile using the batch operations.
App info tab now has many options, including the ability to change SSAID, network policy (i.e. background network usage), battery optimization, etc. Most of the tags used in this tab are also clickable, and if you click on them, you will be able to look at the current state or configure them right away.
Sort and filter options are now replaced by List Options which is highly configurable, including the ability to filter using profiles.
Interested in knowing about your device in just one page? Go to the bottom of the settings page.
Not interested in all the features that AM offers? You can disable some features in settings.
AM now has more than 19 languages! New languages include Farsi, Japanese and Traditional Chinese.
You can now import external signing keys in AM! For security, App Manager has its own encrypted KeyStore which can also be imported or exported.
Since APKMirror has removed encryption from their APKM files, it’s no longer necessary to decrypt them. As a result, the option to decrypt APKM files has been removed. Instead, this option is now provided by the UnAPKM extension which you can grab from F-Droid. So, if you have an encrypted APKM file and have this extension installed, you can open the file directly in AM.
Profiles finally closes the related
issue. Profiles can be used to execute certain tasks repeatedly
without doing everything manually. A profile can be applied (or invoked)
either from the Profiles page or from
the home screen by creating shortcuts. There are also some presets which
consist of debloating profiles taken from Universal
Android Debloater. Exporting rules and applying permissions are not currently
working. Profiles are applied for all users.6.2.1.0.1 Known limitations
Intent
Intercept works as a man-in-the-middle between source and
destination, that is, when you open a file or URL with another app, you
can see what is being shared by opening it with Interceptor first. You
can also add or modify the intents before sending them to the
destination. Additionally, you can double-click on any exportable
activities in the Activities tab in the App Details page to open them in
the Interceptor to add more configurations. Editing extras is not currently possible.6.2.2.0.1 Known limitation
When I released a small tool called UnAPKM, I promised that similar feature will be available in App Manager. I am proud to announce that you can open APKM files directly in the App Info page or convert them to APKS or install them directly.
App manager now supports multiple users! For now, this requires root or ADB. But no-root support is also being considered. If you have multiple users enabled and click on an app installed in multiple profiles, an alert prompt will be displayed where you can select the user.
Thanks to the contributors, we have one more addition to the language club: French. You can add more languages or improve existing translations at Weblate.
If App Manager crashes, you can now easily report the crash from the notifications which opens the share options. Crashes are not reported by App Manager, it only redirects you to your favourite Email client.
Added support for Android 11. Not everything may work as expected though.
In settings page, you can set install locations such as auto (default), internal only and prefer external.
In settings page, you can also set default APK installer (root/ADB only) instead of App Manager.
In settings page, you can allow App Manager to display multiple users during APK installation.
In settings page, you can choose to sign APK files before installing
them. You can also select which signature scheme to use in the APK
signing option in settings. Currently, only a generic key is used to sign APK files6.2.8.4.1 Known limitation
As promised, it is now possible to select splits. AM also provides
recommendations based on device configurations. If the app is already
installed, recommendations are provided based on the installed app. It
is also possible to downgrade to a lower version without data loss if
the device has root or ADB. But it should be noted that not all app can
be downgraded. Installer is also improved to speed up the installation
process, especially, for root users. If the app has already been
installed and the new (x)apk(s) is newer or older or the same version
with a different signature, AM will display a list of changes similar to
What’s New before prompting the user to install the
app. This is useful if the app has introduced tracker components, new
permissions, etc. Large app can take a long time to fetch app info and therefore it
may take a long time display the installation prompt. If the apk is not located in the internal storage, the app has to
be cached first which might also take a long time depending on the size
of the apk.6.3.1.0.1 Known Limitations
Exodus page is now replaced with scanner page. Scanner page contains not only a list of trackers but also a list of used libraries. This is just a start. In the future, this page will contain more in depth analysis of the app.
System Config lists various system configurations and whitelists/blacklists included in Android by either OEM/vendor, AOSP or even some Magisk modules. Root users can access this option from the overflow menu in the main page. There isn’t any official documentation for these options therefore it’s difficult to write a complete documentation for this page. I will gradually add documentations using my own knowledge. However, some functions should be understandable by their name.
Thanks to the contributors, AM now has more than 12 languages. New languages include Bengali, Hindi, Norwegian, Polish, Russian, Simplified Chinese, Turkish and Ukrainian.
More tags are added in the app info tab such as KeyStore (apps with KeyStore items), Systemless app (apps installed via Magisk), Running (apps that are running). For external apk, two more options are added namely Reinstall and Downgrade. Now it is possible to share an apk via Bluetooth. For system apps, it is possible to uninstall updates for root/ADB users. But like the similar option in the system settings, this operation will clear all app data. As stated above, exodus has been replaced with scanner.
It is now possible to sort and filter processes in this tab. Also, the three big buttons are replaced with an easy-to-use three dot menu. Previously the memory usage was wrong which is fixed in this version.
Toybox (an alternative to busybox) is bundled with AM. Although Android has this utility built-in from API 23, toybox is bundled in order to prevent buggy implementations and to support API < 23.
Component blocker seemed to be problematic in the previous version, especially when global component blocking is enabled. The issues are mostly fixed now.
Caution.
The component blocking mechanism is no longer compatible with v2.5.6 due to various security issues. If you have this version, upgrade to v2.5.13 or earlier versions first. After that, enable global component blocking and disable it again.
Value of various app ops depend on their parent app ops. Therefore, when you allow/deny an app op, the parent of the app op gets modified. This fixes the issues some users have been complaining regarding some app ops that couldn’t be changed.
If an app has the target API 23 or less, its permissions cannot be
modified using the pm grant …
command. Therefore, for such
apps, option to toggle permission has been disabled.
The signature tab is improved to support localization. It also displays multiple checksums for a signature.
Manifest no longer crashes if the size of the manifest is too long. Generated manifest are now more accurate than before.
Bundled app formats such as apks and
xapk are now supported. You can install these apps
using the regular installation buttons. For root and adb users, apps are
installed using shell, and for non-root users, the platform default
method is used. Currently all splits apks are installed. But this
behaviour is going to change in the next release. If you only need a few
splits instead of all, extract the APKS or
XAPK file, and then, create a new zip file with your
desired split apks and replace the ZIP extension with
APKS. Now, open it with AM. There is no progress dialog to display the installation
progress.6.4.1.0.1 Known Limitations
You can now install APK, APKS or
XAPK directly from your favourite browser or file
manager. For apps that need updates, a What’s New
dialog is displayed showing the changes in the new version. Downgrade is not yet possible. There is no progress dialog to display the installation progress.
If you cannot interact with the current page, wait until the
installation is finished.6.4.2.0.1 Known Limitations
In the Settings page, a new option is added which can be used to remove all blocking rules configured within App Manager.
App Ops are now generated using a technique similar to AppOpsX. This should decrease the loading time significantly in the App Ops tab.
In the App Ops tab, a menu item is added which can be used to list only active app ops without including the default app ops. The preference is saved in the shared preferences.
Often the App Ops tab may not be responsive. If that’s the case, restart App Manager.
ADB shell commands are now executed using a technique similar to
AppOpsX (This is the free alternative of AppOps by Rikka.).
This should dramatically increase the execution time. AM can often crash or become not responsive. If that’s the case,
restart App Manager.6.4.5.0.1 Known Limitation
Add an option to filter apps that has at least one activity.
Apk files are now saved as app name_version.extension
instead of package.name.extension
.
Added a foreground service to run batch operations. The result of the operation is displayed in a notification. If an operation has failed for some packages, clicking on the notification will open a dialog box listing the failed packages. There is also a Try Again button on the bottom which can be used to perform the operation again for the failed packages.
Replaced Linux kill with force-stop.
Added German and Portuguese (Brazilian) translations. Not all translations are verified yet.6.4.9.0.1 Known Limitation
Install app only for the current user at the time of restoring backups. Support for split apks is also added.
Data backup feature is now considered unstable. If you encounter any problem, please report to me without hesitation.
App Ops (short hand for Application
Operations) are used by Android system (since Android 4.3) to
control application permissions. The user can control some
permissions, but only the permissions that are considered dangerous (and
Google thinks knowing your phone number isn’t a dangerous thing). So,
app ops seems to be the one we need if we want to install apps like
Facebook and it’s Messenger (the latter literary records everything if
you live outside the EU) and still want some privacy and/or
security. Although certain features of app ops were available in
Settings and later in hidden settings in older version of Android, it’s
completely hidden in newer versions of Android and is continued to be
kept hidden. Now, any app with
android.Manifest.permission.GET_APP_OPS_STATS
permission can get the app ops information for other applications but
this permission is hidden from users and can only be enabled using ADB
or root. Still, the app with this permission cannot grant or revoke
permissions (actually mode of operation) for apps other than itself
(with limited capacity, of course). To modify the ops of other app, the
app needs
android.Manifest.permission.UPDATE_APP_OPS_STATS
permissions which isn’t accessible via pm
command. So, you
cannot grant it via root or ADB, the permission is only granted to the
system apps. There are very few apps who support disabling permissions
via app ops. The best one to my knowledge is AppOpsX. The main (visible)
difference between my app (AppManager) and this app is that the latter
also provides you the ability to revoke internet permissions (by writing
ip tables). One crucial problem that I faced during the development of
the app ops API is the lack of documentation in English language.
Figure 1 describes the process of changing
and processing permission. AppOpsManager can be used to manage
permissions in Settings app. AppOpsManager is also
useful in determining if a certain permission (or operation) is granted
to the application. Most of the methods of
AppOpsManager are accessible to the user app but unlike
a system app, it can only be used to check permissions for any app or
for the app itself and start or terminating certain operations.
Moreover, not all operations are actually accessible from this Java
class. AppOpsManager holds all the necessary constants
such as OP_*
,
OPSTR_*
, MODE_*
which describes
operation code, operation string and mode of operations respectively. It
also holds necessary data structures such as PackageOps and OpEntry.
PackageOps holds OpEntry for a
package, and OpEntry, as the name suggests, describes
each operation.
AppOpService
is completely hidden from a user
application but accessible to the system applications. As it can be seen
in Figure 1, this is the class that does the
actual management stuff. It contains data structures such as
Ops to store basic package info and Op
which is similar to OpEntry of
AppOpsManager. It also has Shell which
is actually the source code of the appops command line tool. It writes
configurations to or read configurations from /data/system/appops.xml
. System
services calls AppOpsService to find out what an
application is allowed and what is not allowed to perform, and
AppOpsService determines these permissions by parsing
/data/system/appops.xml
. If no custom values are present in
appops.xml, it returns the default mode available in
AppOpsManager.
AppOpsManager stands for application operations manager. It consists of various constants and classes to modify app operations.
See also: AppOpsManager documentation
OP_*
ConstantsOP_*
are the integer constants starting from
0
. OP_NONE
implies that no operations are
specified whereas _NUM_OP
denotes the number of operations
defined in OP_*
prefix. While they denote each operation,
the operations are not necessarily unique. In fact, there are many
operations that are actually a single operation denoted by multiple
OP_*
constant (possibly for future use). Vendors may define
their own op based on their requirements. MIUI is one of the vendors who
are known to do that.
public static final int OP_NONE = -1;
public static final int OP_COARSE_LOCATION = 0;
public static final int OP_FINE_LOCATION = 1;
public static final int OP_GPS = 2;
public static final int OP_VIBRATE = 3;
...
public static final int OP_READ_DEVICE_IDENTIFIERS = 89;
public static final int OP_ACCESS_MEDIA_LOCATION = 90;
public static final int OP_ACTIVATE_PLATFORM_VPN = 91;
public static final int _NUM_OP = 92;
Whether an operation is unique is defined by
sOpToSwitch
. It maps each operation to another operation or
to itself (if it’s a unique operation). For instance,
OP_FINE_LOCATION
and OP_GPS
are mapped to
OP_COARSE_LOCATION
.
Each operation has a private name which are described by
sOpNames
. These names are usually the same names as the
constants without the OP_
prefix. Some operations have
public names as well which are described by sOpToString
.
For instance, OP_COARSE_LOCATION
has the public name
android:coarse_location.
As a gradual process of moving permissions to app ops, there are
already many permissions that are defined under some operations. These
permissions are mapped in sOpPerms
. For example, the
permission
android.Manifest.permission.ACCESS_COARSE_LOCATION is
mapped to OP_COARSE_LOCATION
. Some operations may not have
any associated permissions which have null
values.
As described in the previous section, operations that are configured
for an app are stored at /data/system/appops.xml
. If an
operation is not configured, then whether system will allow that
operation is determined from sOpDefaultMode
. It lists the
default mode for each operation.
MODE_*
ConstantsMODE_*
constants also integer constants starting from
0
. These constants are assigned to each operation
describing whether an app is authorised to perform that operation. These
modes usually have associated names such as allow for
MODE_ALLOWED
, ignore for
MODE_IGNORED
, deny for
MODE_ERRORED
(a rather misnomer), default
for MODE_DEFAULT
and foreground for
MODE_FOREGROUND
.
MODE_ALLOWED
. The app is allowed to
perform the given operation
MODE_IGNORED
. The app is not
allowed to perform the given operation, and any attempt to perform the
operation should silently fail, i.e. it should not cause the
app to crash
MODE_ERRORED
. The app is not
allowed to perform the given operation, and this attempt should cause it
to have a fatal error, typically a
SecurityException
MODE_DEFAULT
. The app should use
its default security check, specified in
AppOpsManager
MODE_FOREGROUND
. Special mode that
means “allow only when app is in foreground.” This mode was added in
Android 10
MODE_ASK
. This is a custom mode
used by MIUI whose uses are unknown.
AppOpsManager.PackageOps is a data structure to store all the OpEntry for a package. In simple terms, it stores all the customised operations for a package.
public static class PackageOps implements Parcelable {
private final String mPackageName;
private final int mUid;
private final List<OpEntry> mEntries;
...
}
As can be seen in Listing 2, it stores all OpEntry for a package as well as the corresponding package name and its kernel user ID.
AppOpsManager.OpEntry is a data structure that stores a single operation for any package.
public static final class OpEntry implements Parcelable {
private final int mOp;
private final boolean mRunning;
private final @Mode int mMode;
private final @Nullable LongSparseLongArray mAccessTimes;
private final @Nullable LongSparseLongArray mRejectTimes;
private final @Nullable LongSparseLongArray mDurations;
private final @Nullable LongSparseLongArray mProxyUids;
private final @Nullable LongSparseArray<String> mProxyPackageNames;
...
}
Here:
mOp
: Denotes one of the OP_*
constants
mRunning
: Whether the operation is in progress
(i.e. the operation has started but not finished yet). Not all
operations can be started or finished this way
mMOde
: One of the MODE_*
constants
mAccessTimes
: Stores all the available access
times
mRejectTimes
: Stores all the available reject
times
mDurations
: All available access durations, checking
this with mRunning
will tell you for how long the app is
performing a certain app operation
mProxyUids
: No documentation found
mProxyPackageNames:
No documentation found
TODO
TODO
Latest appops.xml
has the following format: (This DTD is
made by me and by no means perfect, has compatibility issues.)
<!DOCTYPE app-ops [
<!ELEMENT app-ops (uid|pkg)*>
<!ATTLIST app-ops v CDATA #IMPLIED>
<!ELEMENT uid (op)*>
<!ATTLIST uid n CDATA #REQUIRED>
<!ELEMENT pkg (uid)*>
<!ATTLIST pkg n CDATA #REQUIRED>
<!ELEMENT uid (op)*>
<!ATTLIST uid
n CDATA #REQUIRED
p CDATA #IMPLIED>
<!ELEMENT op (st)*>
<!ATTLIST op
n CDATA #REQUIRED
m CDATA #REQUIRED>
<!ELEMENT st EMPTY>
<!ATTLIST st
n CDATA #REQUIRED
t CDATA #IMPLIED
r CDATA #IMPLIED
d CDATA #IMPLIED
pp CDATA #IMPLIED
pu CDATA #IMPLIED>
]>
The instruction below follows the exact order given above:
app-ops
: The root element. It can contain any number
of pkg
or package uid
v
: (optional, integer) The version number (default:
NO_VERSION
or -1
)
pkg
: Stores package info. It can contain any number
of uid
n
: (required, string) Name of the package
Package uid
: Stores package or packages info
n
: (required, integer) The user ID
uid
: The package user ID. It can contain any number
of op
n
: (required, integer) The user ID
p
: (optional, boolean) Is the app is a
private/system app
op
: The operation, can contain st
or
nothing at all
n
: (required, integer) The op name in integer,
i.e. AppOpsManager.OP_*
m
: (required, integer) The op mode,
i.e. AppOpsManager.MODE_*
st
: State of operation: whether the operation is
accessed, rejected or running (not available on old versions)
n
: (required, long) Key containing flags and
uid
t
: (optional, long) Access time (default:
0
)
r
: (optional, long) Reject time (default:
0
)
d
: (optional, long) Access duration (default:
0
)
pp
: (optional, string) Proxy package name
pu
: (optional, integer) Proxy package uid
This definition can be found at AppOpsService.
appops
or cmd appops
(on latest versions)
can be accessible via ADB or root. This is an easier method to get or
update any operation for a package (provided the package name is known).
The help page of this command is self-explanatory:
AppOps service (appops) commands:
help
Print this help text.
start [--user <USER_ID>] <PACKAGE | UID> <OP>
Starts a given operation for a particular application.
stop [--user <USER_ID>] <PACKAGE | UID> <OP>
Stops a given operation for a particular application.
set [--user <USER_ID>] <[--uid] PACKAGE | UID> <OP> <MODE>
Set the mode for a particular application and operation.
get [--user <USER_ID>] <PACKAGE | UID> [<OP>]
Return the mode for a particular application and optional operation.
query-op [--user <USER_ID>] <OP> [<MODE>]
Print all packages that currently have the given op in the given mode.
reset [--user <USER_ID>] [<PACKAGE>]
Reset the given application or all applications to default modes.
write-settings
Immediately write pending changes to storage.
read-settings
Read the last written settings, replacing current state in RAM.
options:
<PACKAGE> an Android package name or its UID if prefixed by --uid
<OP> an AppOps operation.
<MODE> one of allow, ignore, deny, or default
<USER_ID> the user id under which the package is installed. If --user is not
specified, the current user is assumed.