diff --git a/CommonInstaller b/CommonInstaller
index 6a2b1c5..5189723 100644
--- a/CommonInstaller
+++ b/CommonInstaller
@@ -415,7 +415,11 @@ detect_arch () {
 				SWIPE_LIBDIR=lib64 ;;
 	esac
 
-	chmod +x "${INSTALLER}/system/xbin/unzip.${BIN_ARCH}"
+	UNZIP="${INSTALLER}/system/xbin/unzip.${BIN_ARCH}"
+	chmod +x "${UNZIP}"
+
+	AAPT="${INSTALLER}/system/xbin/aapt.${BIN_ARCH}"
+	chmod +x "${AAPT}"
 
 	case ${SDK_VERSION} in
 		19 )		GSYNC_VER=K	;;
@@ -742,7 +746,7 @@ check_fake_package_signature () {
 
 	if [ ! -f ${FW_RES_FILE} ]; then
 		mkdir -p "${FW_RES_DIR}"
-		unzip -oq /system/framework/framework-res.apk -d "${FW_RES_DIR}"
+		"${UNZIP}" -oq /system/framework/framework-res.apk -d "${FW_RES_DIR}"
 	fi
 
 	grep -qF "${PERMISSION}" "${FW_RES_FILE}" && HAS_FAKESIGN=true
@@ -764,7 +768,7 @@ check_bromite_webview_support () {
 
 	if [ ! -f ${FW_RES_FILE} ]; then
 		mkdir -p "${FW_RES_DIR}"
-		unzip -oq /system/framework/framework-res.apk -d "${FW_RES_DIR}"
+		"${UNZIP}" -oq /system/framework/framework-res.apk -d "${FW_RES_DIR}"
 	fi
 
 	grep -qF "${WEBVIEW_PKG}" "${FW_RES_FILE}" && HAS_WEBVIEW=true
@@ -772,6 +776,47 @@ check_bromite_webview_support () {
 	${HAS_WEBVIEW} && return 0 || return 1
 }
 
+##########################################################################################
+# privapp permission whitelist generation
+##########################################################################################
+
+dump_system_privapp_permissions () {
+	# XXX this looks shitty
+	"${AAPT}" d --values xmltree /system/framework/framework-res.apk \
+		tr -d '\n' | sed -e 's/E:/\n/g' | grep '(type 0x11)0x12' | \
+		awk -F\" '{print $2}' | sort > "${TMPDIR}/privapp-permissions.list"
+}
+
+dump_app_privapp_permissions () {
+	APK="${1}"
+	APK_NAME="$("${AAPT}" dump badging "${APK}" | awk -F \' '/^package: name/{print $2}')"
+
+	"${AAPT}" dump permissions "${APK}" | \
+		awk -F \' '/^uses-permission:/{print $2}' | \
+		sort > "${TMPDIR}/${APK_NAME}.list"
+}
+
+create_privapp_permissions_whitelist () {
+	APK_NAME="${1}"
+	APK_LIST="${TMPDIR}/${1}.list"
+	SYS_LIST="${TMPDIR}/privapp-permissions.list"
+	APP_WHITELIST="${TMPDIR}/${APK_NAME}.xml"
+
+	echo '<?xml version="1.0" encoding="utf-8"?>
+<permissions>
+    <privapp-permissions package="'${APK_NAME}'">' > "${APP_WHITELIST}"
+
+	cat "${APK_LIST}" | while read perm; do
+		if grep -q "${perm}" "${SYS_LIST}"; then
+			echo "  ++ package ${APK_NAME} needs privapp-whitelist ${perm}"
+			echo '        <permission name="'${perm}'" />' >> "${APP_WHITELIST}"
+		fi
+	done
+
+	echo '    </privapp-permissions>
+</permissions>' >> "${APP_WHITELIST}"
+}
+
 ##########################################################################################
 # Generic Installation
 ##########################################################################################
@@ -1071,7 +1116,7 @@ install_shell_utils () {
 		ui_print " << with Shell Utilities"
 
 		# architecture dependend stuff
-		for binary in col colcrt colrm column findfs findmnt \
+		for binary in aapt col colcrt colrm column findfs findmnt \
 			hexdump lessecho lesskey look lsblk lscpu lsipc \
 			lslocks lsns ncal setterm unzip whereis; do
 			nanodroid_install_file xbin/${binary}.${BIN_ARCH} bin
@@ -1324,8 +1369,7 @@ nanodroid_install_lib () {
 
 	unset srcdir
 
-	"${INSTALLER}/system/xbin/unzip.${BIN_ARCH}" \
-		-oq "${apk}" "lib/*" -d "${TMP_LIBDIR}" \
+	"${UNZIP}" -oq "${apk}" "lib/*" -d "${TMP_LIBDIR}" \
 		2>/dev/null
 	unzip_return=$?