Skip to content

MASTG-TECH-0150: Analyzing the AndroidManifest

Once you've extracted the AndroidManifest.xml as described in Obtaining Information from the AndroidManifest, you can analyze its content to look for specific attributes, flags, permissions, or component declarations.

Note that the output format differs depending on the extraction tool used:

  • Tools like jadx and apktool output standard XML where attributes follow the android: namespace prefix (e.g., android:debuggable="true").
  • Tools like aapt2 output a custom decoded format (not XML) that uses different naming conventions (e.g., application-debuggable).

Using grep

Use grep to search for a specific attribute or flag in the XML output:

grep -i "android:debuggable" output_dir/AndroidManifest.xml

Example output when the flag is set:

android:debuggable="true"

If the attribute is absent, the flag defaults to false for release builds.

Using aapt2

Use aapt2 to query the manifest without extracting it first:

aapt2 d badging app.apk | grep -i debuggable

Example output when the flag is set:

application-debuggable

If the line is absent, the flag is not set (defaults to false).

Using xmllint or xmlstarlet

For structured XML queries, use xmllint or xmlstarlet on the extracted XML manifest:

xmlstarlet sel -t -v "//application/@android:debuggable" -n output_dir/AndroidManifest.xml

Tests

MASTG-TEST-0226: Debuggable Flag Enabled in the AndroidManifest MASTG-TEST-0224: Usage of Insecure APK Signature Version MASTG-TEST-0262: References to Backup Configurations Not Excluding Sensitive Data MASTG-TEST-0315: Sensitive Data Exposed via Notifications MASTG-TEST-0355: References to Unauthorized Database Access through Content Providers MASTG-TEST-0250: References to Content Provider Access in WebViews MASTG-TEST-0252: References to Local File Access in WebViews MASTG-TEST-0340: References to Overlay Attack Protections MASTG-TEST-0243: Expired Certificate Pins in the Network Security Configuration MASTG-TEST-0235: Android App Configurations Allowing Cleartext Traffic MASTG-TEST-0285: Outdated Android Version Allowing Trust in User-Provided CAs MASTG-TEST-0242: Missing Certificate Pinning in Network Security Configuration MASTG-TEST-0286: Network Security Configuration Allowing Trust in User-Provided CAs