Overview
AndroidManifest.xml is the application’s central configuration file. Misconfigurations here introduce vulnerabilities at the OS level, before a single line of application code runs. Most findings are static and detectable via apktool or manual review.
Extract Manifest from APK
aapt:
Debuggable Flag Enabled
MASWE-0067 · MASVS-RESILIENCE: owasp.org/MASWE-0067android:debuggable="true" allows any process to attach a debugger to the app via ADB, even on non-rooted devices.
Vulnerable:
jdb, dump memory, bypass logic, extract secrets at runtime.
Check:
Backup Enabled
MASWE-0004 · MASVS-STORAGE: owasp.org/MASWE-0004android:allowBackup="true" (default) allows full app data extraction without root via adb backup.
Vulnerable:
android:allowBackup="false" or use android:fullBackupContent rules to exclude sensitive files.
Exported Components
MASWE-0062 / 0063 / 0064 · MASVS-PLATFORM: 0062 · 0063 · 0064 Activities, Services, Receivers, and Providers are exported to other apps when:android:exported="true"is set explicitly, or- an
<intent-filter>is declared (implicit export on API < 31)
Exported Activity
Exported Service
Exported Broadcast Receiver
Exported Content Provider
Cleartext Traffic Allowed
MASWE-0050 · MASVS-NETWORK: owasp.org/MASWE-0050android:usesCleartextTraffic="true" permits HTTP connections. All traffic can be intercepted on the same network.
Vulnerable:
res/xml/network_security_config.xml for domain-specific cleartext allowances:
User CA Trusted in Network Security Config
MASWE-0286 · MASVS-NETWORK: owasp.org/MASWE-0286 Allowing user-installed CAs in the Network Security Config makes SSL interception trivial, no root required.Insecure Deep Links
MASWE-0058 · MASVS-PLATFORM: owasp.org/MASWE-0058 Deep links declared without proper validation allow other apps or browsers to trigger internal activities with attacker-controlled data. Vulnerable: no verification:android:autoVerify="true" + HTTPS scheme) so the OS verifies domain ownership before accepting the link.
Task Affinity / StrandHogg
MASWE-0057 · MASVS-PLATFORM: owasp.org/MASWE-0057 DefaulttaskAffinity combined with launchMode="singleTask" and allowTaskReparenting="true" enables the StrandHogg attack, a malicious app hijacks the foreground of the target app when the user launches it.
Vulnerable:
android:taskAffinity="" to disable reparenting, or android:launchMode="singleInstance".
Insufficient Permission Declarations
MASWE-0117 · MASVS-PRIVACY: owasp.org/MASWE-0117 Over-requested permissions increase the attack surface and privacy exposure. Check all declared permissions:android:protectionLevel="signature" for internal permissions shared between apps of the same developer.
Target and Min SDK Version
MASWE-0077 / 0078 · MASVS-CODE: 0077 · 0078 LowminSdkVersion exposes the app on older Android versions that lack modern security features. Low targetSdkVersion disables OS-level mitigations.
| Issue | Risk |
|---|---|
minSdkVersion < 21 | Runs on Android 4.x: no enforced SELinux, weak TLS |
targetSdkVersion < 28 | No cleartext block by default, no scoped storage |
targetSdkVersion < 31 | Components with <intent-filter> implicitly exported |
References
| ID | Title | MASVS Category | Link |
|---|---|---|---|
| MASWE-0004 | Sensitive Data Not Excluded From Backup | MASVS-STORAGE | mas.owasp.org |
| MASWE-0050 | Cleartext Traffic | MASVS-NETWORK | mas.owasp.org |
| MASWE-0057 | StrandHogg Attack / Task Affinity Vulnerability | MASVS-PLATFORM | mas.owasp.org |
| MASWE-0058 | Insecure Deep Links | MASVS-PLATFORM | mas.owasp.org |
| MASWE-0062 | Insecure Services | MASVS-PLATFORM | mas.owasp.org |
| MASWE-0063 | Insecure Broadcast Receivers | MASVS-PLATFORM | mas.owasp.org |
| MASWE-0064 | Insecure Content Providers | MASVS-PLATFORM | mas.owasp.org |
| MASWE-0067 | Debuggable Flag Not Disabled | MASVS-RESILIENCE | mas.owasp.org |
| MASWE-0077 | Running on a Recent Platform Version Not Ensured | MASVS-CODE | mas.owasp.org |
| MASWE-0078 | Latest Platform Version Not Targeted | MASVS-CODE | mas.owasp.org |
| MASWE-0117 | Inadequate Permission Management | MASVS-PRIVACY | mas.owasp.org |
| MASWE-0286 | Network Security Configuration Allowing Trust in User-Provided CAs | MASVS-NETWORK | mas.owasp.org |
Quick Checklist
| Flag | Safe Value | Risk if Wrong |
|---|---|---|
android:debuggable | false | Debugger attach, memory dump |
android:allowBackup | false | Full data extraction via ADB |
android:exported | false (unless required) | Component hijack |
android:usesCleartextTraffic | false | HTTP interception |
android:networkSecurityConfig | No user CAs | SSL interception |
android:autoVerify | true on App Links | Deep link hijack |
android:taskAffinity | "" | StrandHogg |
android:protectionLevel | signature for internal | Permission abuse |