Every Android app begins with a humble file: AndroidManifest.xml. You add permissions, declare activities, and move on.

But behind this file lies one of Android’s most critical subsystems — the Package Manager.
It’s how Android knows what your app is, what it can do, and what it’s allowed to touch.

Let’s uncover what really happens from build time to runtime.

⚙️ 1. The Manifest You Write Isn’t What Android Reads

When you build your app, your human-readable manifest is compiled into binary XML by AAPT2. This makes it smaller and faster to parse.

aapt dump xmltree app.apk AndroidManifest.xml

 

During packaging, AAPT2 merges manifests from libraries and modules — the final version inside the APK is often much bigger than you expect.

Manifest.xml (text)
↓
AAPT2 → Binary XML
↓
Packaged into APK

 

🏗️ 2. Installation — Where the Real Magic Happens

When you install an app (via Play Store or adb install), the Package Manager Service (PMS) inside Android’s system_server process steps in.

It uses a class called PackageParser to read the binary manifest and extract everything about your app:

• Components (Activity, Service, Receiver, Provider)
• Permissions and SDK info
• Intent filters and meta-data

PMS then:

• Stores this info in /data/system/packages.xml
• Updates internal databases
• Notifies services like ActivityManagerService and PermissionManagerService

That’s how Android “registers” your app before you ever run it.

🧩 3. Who Parses the Manifest?

PackageParser (part of AOSP) literally walks through your manifest node by node:

if ("uses-permission".equals(tag)) {
parseUsesPermission(parser);
}

 

Each tag becomes part of a PackageParser.Package object — the in-memory definition of your app.

Once parsed, Android doesn’t re-read the manifest again.
Everything is cached in the Package Manager for fast lookups.

🚀 4. Launching the App

When you tap your app icon:

• Android checks the cached manifest data to find your MAIN + LAUNCHER activity.
• Zygote forks your app process.
• ActivityThread receives an ApplicationInfo object — pre-filled from manifest data.

No parsing happens at launch — everything is already known.

🛡️ 5. Permissions — The Two-Stage Process

Install Time

PMS checks <uses-permission> tags:

• Normal permissions (like INTERNET) → auto-granted
• Dangerous permissions (like READ_CONTACTS) → user approval needed later

Runtime

When your app requests something protected:

1. The system checks if you declared it in your manifest.
2. Then it checks if the user granted it.
3. PermissionManagerService and AppOpsManager handle these checks.

If you missed declaring it, Android throws a SecurityException — even if the user approved it earlier.

🧠 6. The Key Players

💡 7. Why It Matters

Knowing how this works helps you:

• Debug tricky permission or manifest merge issues
• Understand how the system enforces app boundaries
• Inspect third-party APKs confidently (adb shell dumpsys package your.package.name)

The manifest isn’t just metadata — it’s your app’s contract with Android.

🧭 Final Thoughts

AndroidManifest.xml defines everything about your app — before it ever runs.
From permissions to launchers to content providers, Android relies entirely on what’s inside it.

Next time you add a permission or intent filter, remember:

1. It’s not just XML.
2. It’s how your app talks to the Android system itself.

 

This article was previously published on proandroiddev.com