Documentation Index
Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
Use this file to discover all available pages before exploring further.
Overview
AndroidManifest.xml is the application’s central configuration file. Misconfigurations here introduce vulnerabilities at the OS level, before a single line of application code runs. Most findings are static and detectable via apktool or manual review.
apktool d target.apk -o output/
cat output/AndroidManifest.xml
aapt:
aapt dump xmltree target.apk AndroidManifest.xml
Debuggable Flag Enabled
MASWE-0067 · MASVS-RESILIENCE: owasp.org/MASWE-0067
android:debuggable="true" allows any process to attach a debugger to the app via ADB, even on non-rooted devices.
Vulnerable:
<application android:debuggable="true" ...>
jdb, dump memory, bypass logic, extract secrets at runtime.
Check:
adb shell run-as <package.name>
adb jdwp # lists debuggable processes
adb forward tcp:8700 jdwp:<PID>
jdb -connect com.sun.jdi.SocketAttach:hostname=localhost,port=8700
Backup Enabled
MASWE-0004 · MASVS-STORAGE: owasp.org/MASWE-0004
android:allowBackup="true" (default) allows full app data extraction without root via adb backup.
Vulnerable:
<application android:allowBackup="true" ...>
adb backup -noapk <package.name>
dd if=backup.ab bs=1 skip=24 | python3 -c "import zlib,sys; sys.stdout.buffer.write(zlib.decompress(sys.stdin.buffer.read()))" > backup.tar
tar xf backup.tar
android:allowBackup="false" or use android:fullBackupContent rules to exclude sensitive files.
Exported Components
MASWE-0062 / 0063 / 0064 · MASVS-PLATFORM: 0062 · 0063 · 0064
Activities, Services, Receivers, and Providers are exported to other apps when:
android:exported="true" is set explicitly, or- an
<intent-filter> is declared (implicit export on API < 31)
Exported Activity
<activity android:name=".AdminActivity" android:exported="true" />
adb shell am start -n <package>/.AdminActivity
Exported Service
<service android:name=".SyncService" android:exported="true" />
adb shell am startservice -n <package>/.SyncService
Exported Broadcast Receiver
<receiver android:name=".SMSReceiver">
<intent-filter>
<action android:name="android.provider.Telephony.SMS_RECEIVED" />
</intent-filter>
</receiver>
adb shell am broadcast -a android.provider.Telephony.SMS_RECEIVED -n <package>/.SMSReceiver
Exported Content Provider
<provider
android:name=".UserProvider"
android:authorities="com.example.provider"
android:exported="true" />
adb shell content query --uri content://com.example.provider/users
Cleartext Traffic Allowed
MASWE-0050 · MASVS-NETWORK: owasp.org/MASWE-0050
android:usesCleartextTraffic="true" permits HTTP connections. All traffic can be intercepted on the same network.
Vulnerable:
<application android:usesCleartextTraffic="true" ...>
res/xml/network_security_config.xml for domain-specific cleartext allowances:
<domain-config cleartextTrafficPermitted="true">
<domain includeSubdomains="true">api.example.com</domain>
</domain-config>
User CA Trusted in Network Security Config
MASWE-0286 · MASVS-NETWORK: owasp.org/MASWE-0286
Allowing user-installed CAs in the Network Security Config makes SSL interception trivial, no root required.
<!-- res/xml/network_security_config.xml -->
<trust-anchors>
<certificates src="user" />
</trust-anchors>
<application android:networkSecurityConfig="@xml/network_security_config" ...>
Insecure Deep Links
MASWE-0058 · MASVS-PLATFORM: owasp.org/MASWE-0058
Deep links declared without proper validation allow other apps or browsers to trigger internal activities with attacker-controlled data.
Vulnerable: no verification:
<activity android:name=".PaymentActivity">
<intent-filter>
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<data android:scheme="myapp" android:host="pay" />
</intent-filter>
</activity>
adb shell am start -a android.intent.action.VIEW \
-d "myapp://pay?amount=0&to=attacker"
android:autoVerify="true" + HTTPS scheme) so the OS verifies domain ownership before accepting the link.
Task Affinity / StrandHogg
MASWE-0057 · MASVS-PLATFORM: owasp.org/MASWE-0057
Default taskAffinity combined with launchMode="singleTask" and allowTaskReparenting="true" enables the StrandHogg attack, a malicious app hijacks the foreground of the target app when the user launches it.
Vulnerable:
<activity
android:name=".MainActivity"
android:allowTaskReparenting="true"
android:taskAffinity="com.malicious.app" />
android:taskAffinity="" to disable reparenting, or android:launchMode="singleInstance".
Insufficient Permission Declarations
MASWE-0117 · MASVS-PRIVACY: owasp.org/MASWE-0117
Over-requested permissions increase the attack surface and privacy exposure.
Check all declared permissions:
aapt dump permissions target.apk
<uses-permission android:name="android.permission.READ_SMS" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<uses-permission android:name="android.permission.CAMERA" />
<uses-permission android:name="android.permission.READ_CONTACTS" />
<!-- Vulnerable — any app can use this permission -->
<permission
android:name="com.example.ADMIN"
android:protectionLevel="normal" />
android:protectionLevel="signature" for internal permissions shared between apps of the same developer.
Target and Min SDK Version
MASWE-0077 / 0078 · MASVS-CODE: 0077 · 0078
Low minSdkVersion exposes the app on older Android versions that lack modern security features. Low targetSdkVersion disables OS-level mitigations.
<uses-sdk
android:minSdkVersion="16"
android:targetSdkVersion="28" />
| Issue | Risk |
|---|
minSdkVersion < 21 | Runs on Android 4.x: no enforced SELinux, weak TLS |
targetSdkVersion < 28 | No cleartext block by default, no scoped storage |
targetSdkVersion < 31 | Components with <intent-filter> implicitly exported |
References
| ID | Title | MASVS Category | Link |
|---|
| MASWE-0004 | Sensitive Data Not Excluded From Backup | MASVS-STORAGE | mas.owasp.org |
| MASWE-0050 | Cleartext Traffic | MASVS-NETWORK | mas.owasp.org |
| MASWE-0057 | StrandHogg Attack / Task Affinity Vulnerability | MASVS-PLATFORM | mas.owasp.org |
| MASWE-0058 | Insecure Deep Links | MASVS-PLATFORM | mas.owasp.org |
| MASWE-0062 | Insecure Services | MASVS-PLATFORM | mas.owasp.org |
| MASWE-0063 | Insecure Broadcast Receivers | MASVS-PLATFORM | mas.owasp.org |
| MASWE-0064 | Insecure Content Providers | MASVS-PLATFORM | mas.owasp.org |
| MASWE-0067 | Debuggable Flag Not Disabled | MASVS-RESILIENCE | mas.owasp.org |
| MASWE-0077 | Running on a Recent Platform Version Not Ensured | MASVS-CODE | mas.owasp.org |
| MASWE-0078 | Latest Platform Version Not Targeted | MASVS-CODE | mas.owasp.org |
| MASWE-0117 | Inadequate Permission Management | MASVS-PRIVACY | mas.owasp.org |
| MASWE-0286 | Network Security Configuration Allowing Trust in User-Provided CAs | MASVS-NETWORK | mas.owasp.org |
Quick Checklist
| Flag | Safe Value | Risk if Wrong |
|---|
android:debuggable | false | Debugger attach, memory dump |
android:allowBackup | false | Full data extraction via ADB |
android:exported | false (unless required) | Component hijack |
android:usesCleartextTraffic | false | HTTP interception |
android:networkSecurityConfig | No user CAs | SSL interception |
android:autoVerify | true on App Links | Deep link hijack |
android:taskAffinity | "" | StrandHogg |
android:protectionLevel | signature for internal | Permission abuse |