How do I set file permissions for the contents of an APK file, so that the file is readable by the user only?
You don't. The permissions on files that are part of the APK are set up by the operating system at install time, and you do not have direct control over that behavior. Moreover, at least on the one test that I did, .so
files on the /data
partition are not owned by you (at least on the emulator) and therefore cannot have their permission bits modified by you:
root@generic_x86:/data # ls -al app-lib/com.commonsware.android.passwordbox-1/
-rwxr-xr-x system system 1757156 2014-03-15 13:28 libdatabase_sqlcipher.so
-rwxr-xr-x system system 3491452 2014-03-15 13:28 libsqlcipher_android.so
-rwxr-xr-x system system 526052 2014-03-15 12:28 libstlport_shared.so
You're welcome to do your own analysis of this if you have a rooted device, to see if it behaves differently than does the emulator. Note that I did not find the .so
files in the location that they did, possibly due to differences in OS level for testing (I tried a 4.3 x86 emulator).
But I assume that I need to do this in the Manifest, or possibly on the file system of the build machine, or something?
No, there is nothing in any of that that has anything to do with the permission bits on .so
files on the device.
As I mentioned in the comment, it is up to the security auditors to demonstrate that the behavior of your app is somehow abnormal. Auditors should be able to do this, or admit that your behavior is not abnormal, other than that it uses the NDK.
A rogue application on the device could leverage this vulnerability to read sensitive data stored by the application
Generally speaking, this would not be the case. The .so
being world-readable does not magically make the application's "sensitive data" world readable. That is still controlled by file permissions on the data itself.