Skip to content

MASTG-TECH-0150: Analyzing the AndroidManifest

Once you've extracted the AndroidManifest.xml as described in Obtaining Information from the AndroidManifest, you can analyze its content to look for specific attributes, flags, permissions, or component declarations.

Note that the output format differs depending on the extraction tool used:

  • Tools like jadx and apktool output standard XML where attributes follow the android: namespace prefix (e.g., android:debuggable="true").
  • Tools like aapt2 output a custom decoded format (not XML) that uses different naming conventions (e.g., application-debuggable).

Using grep

Use grep to search for a specific attribute or flag in the XML output:

grep -i "android:debuggable" output_dir/AndroidManifest.xml

Example output when the flag is set:

android:debuggable="true"

If the attribute is absent, the flag defaults to false for release builds.

Using aapt2

Use aapt2 to query the manifest without extracting it first:

aapt2 d badging app.apk | grep -i debuggable

Example output when the flag is set:

application-debuggable

If the line is absent, the flag is not set (defaults to false).

Using xmllint or xmlstarlet

For structured XML queries, use xmllint or xmlstarlet on the extracted XML manifest:

xmlstarlet sel -t -v "//application/@android:debuggable" -n output_dir/AndroidManifest.xml

Tests

MASTG-TEST-0243: Expired Certificate Pins in the Network Security Configuration MASTG-TEST-0285: Outdated Android Version Allowing Trust in User-Provided CAs MASTG-TEST-0286: Network Security Configuration Allowing Trust in User-Provided CAs MASTG-TEST-0242: Missing Certificate Pinning in Network Security Configuration MASTG-TEST-0235: Android App Configurations Allowing Cleartext Traffic MASTG-TEST-0252: References to Local File Access in WebViews MASTG-TEST-0315: Sensitive Data Exposed via Notifications MASTG-TEST-0340: References to Overlay Attack Protections MASTG-TEST-0250: References to Content Provider Access in WebViews MASTG-TEST-0262: References to Backup Configurations Not Excluding Sensitive Data MASTG-TEST-0224: Usage of Insecure APK Signature Version MASTG-TEST-0226: Debuggable Flag Enabled in the AndroidManifest