Android Software Reverse Engineering & Decompilation

Dissecting AndroidManifest.xml: A Practical Guide to Uncovering Component Vulnerabilities

By Antigravity Research Published May 29, 2026 ⏱️ 7 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to AndroidManifest.xml

The AndroidManifest.xml file is the foundational blueprint of every Android application. It acts as a metadata repository, providing the Android operating system with crucial information about the app’s components, permissions, hardware and software features, and overall configuration. For security analysts and reverse engineers, a thorough understanding and analysis of this file is paramount. It often holds the keys to discovering exposed components, misconfigured permissions, and other critical vulnerabilities that could lead to data exfiltration, unauthorized access, or denial of service.

This guide will dissect the AndroidManifest.xml, focusing on how to identify common component-related vulnerabilities by examining its structure and key attributes. We’ll cover Activities, Services, Broadcast Receivers, and Content Providers, demonstrating practical analysis techniques.

Essential Manifest Elements for Security Analysis

The <application> Tag: Global Security Posture

The <application> tag wraps all the components of the app and can define global attributes that impact security:

  • android:debuggable: If set to true, the app can be debugged even on production devices, potentially allowing attackers to attach a debugger and tamper with runtime behavior or extract sensitive data. This should always be false in production builds.
  • android:allowBackup: If true, users can back up application data via adb backup. If sensitive data is not properly protected, this could lead to information disclosure.
  • android:testOnly: Indicates that this application is only for testing purposes. Though rarely seen in production apps, its presence might signal an improperly deployed testing build.
<application android:allowBackup="false" android:icon="@mipmap/ic_launcher" android:label="@string/app_name" android:roundIcon="@mipmap/ic_launcher_round" android:supportsRtl="true" android:theme="@style/AppTheme" android:debuggable="false">

To check these attributes quickly, use aapt:

aapt dump badging your_app.apk | grep -E 'application-debuggable|application-backup|application-testonly'

Activities: Entry Points and Exposed Functionality

Activities are the primary entry points for user interaction. Their security configuration, particularly the android:exported attribute and associated <intent-filter>, is critical.

  • android:exported="true": An activity with this attribute can be launched by other applications. If an <intent-filter> is present, it implies exported="true" by default for activities targeting API level 31 or higher.
  • android:permission: Specifies a permission that an external app must have to launch this activity.

Vulnerability Example: Exported Activity without Proper Permissions

<activity android:name=".VulnerableActivity" android:exported="true"> <!-- Missing android:permission --> <intent-filter> <action android:name="com.example.ACTION_SENSIBLE_DATA" /> <category android:name="android.intent.category.DEFAULT" /> </intent-filter></activity>

An attacker can launch this activity using a crafted intent:

adb shell am start -n com.example.app/.VulnerableActivityadb shell am start -a com.example.ACTION_SENSIBLE_DATA -n com.example.app/com.example.app.VulnerableActivity

Always ensure sensitive exported activities are protected by custom permissions (signature or signatureOrSystem protection level) or are not exported if internal-only.

Broadcast Receivers: Intercepting and Responding to System Events

Broadcast Receivers listen for and respond to system-wide broadcast announcements or custom application-specific broadcasts.

  • android:exported="true": Similar to activities, if true (or implied by an <intent-filter>), other apps can send broadcasts to this receiver.
  • android:permission: Required permission for sending a broadcast to this receiver.

Vulnerability Example: Exported Receiver for Sensitive Actions

<receiver android:name=".SensitiveDataReceiver" android:enabled="true" android:exported="true"> <!-- Missing android:permission --> <intent-filter> <action android:name="com.example.ACTION_PURGE_DATA" /> </intent-filter></receiver>

An attacker can trigger this receiver to perform a sensitive action:

adb shell am broadcast -a com.example.ACTION_PURGE_DATA -n com.example.app/.SensitiveDataReceiver

Ensure that all sensitive broadcast receivers have robust permission protection or are not exported.

Services: Background Operations and IPC Vulnerabilities

Services perform long-running operations in the background without a UI. They are prone to IPC vulnerabilities if not properly secured.

  • android:exported="true": Allows other applications to bind to or start this service.
  • android:permission: Specifies the permission required to interact with the service.

Vulnerability Example: Exported Service Allowing Unauthorized Operations

<service android:name=".AdminService" android:enabled="true" android:exported="true"> <!-- Missing android:permission --> <intent-filter> <action android:name="com.example.ACTION_PERFORM_ADMIN" /> </intent-filter></service>

An attacker can start this service:

adb shell am startservice -n com.example.app/.AdminService -a com.example.ACTION_PERFORM_ADMIN

Exploiting services often involves sending specific data via intents, so analyzing the service’s code (after decompilation) is crucial to understand what data it processes.

Content Providers: Data Exposure and Access Control

Content Providers manage access to a structured set of data. They are a common source of data leakage vulnerabilities.

  • android:exported="true": If true (or implied by android:grantUriPermissions="true" or target SDK < 17), other applications can query, insert, update, or delete data through this provider.
  • android:readPermission, android:writePermission: Permissions required for reading and writing data, respectively.
  • android:grantUriPermissions="true": Allows temporary access to specific URIs without requiring a permanent permission. Can be dangerous if combined with weak permissions or exported providers.

Vulnerability Example: Exported Content Provider with Weak Permissions

<provider android:name=".UserDataProvider" android:authorities="com.example.app.provider.userdata" android:exported="true" android:readPermission="com.example.permission.READ_USER_DATA" <!-- writePermission might be missing or weak --> />

If com.example.permission.READ_USER_DATA is not adequately protected (e.g., normal protection level), or if writePermission is absent, an attacker might:

adb shell content query --uri content://com.example.app.provider.userdata/users --projection "username,password"

A more advanced attack could involve using tools like Drozer to enumerate and exploit content providers.

Custom Permissions and Protection Levels

When defining custom permissions in the Manifest, the android:protectionLevel attribute is critical:

  • normal: Low-risk, automatically granted permissions.
  • dangerous: High-risk, user-prompted permissions.
  • signature: Only granted if the requesting app is signed with the same certificate as the app defining the permission. This is the strongest protection for IPC.
  • signatureOrSystem: Granted to apps with the same signature or to apps installed in the system image.

Always use signature for protecting sensitive IPC components between your own applications.

<permission android:name="com.example.permission.ACCESS_SENSITIVE_API" android:protectionLevel="signature" />

Practical Manifest Analysis Workflow

  1. Decompile the APK: Use apktool d your_app.apk -o decompiled_app to get human-readable SMALI code and the decompiled AndroidManifest.xml.
  2. Locate AndroidManifest.xml: It will be in the root of the decompiled directory.
  3. Search for android:exported="true": This is your primary target for identifying exposed components. Also look for components with <intent-filter>s that are implicitly exported.
  4. Examine Permissions: For each exported component, check if an android:permission is specified. If so, locate the permission’s definition (<permission> tag) and analyze its android:protectionLevel.
  5. Analyze Intent Filters: Understand what actions and categories an exported component can respond to. This helps in crafting malicious intents.
  6. Look for Global Flags: Check <application> for android:debuggable="true" and android:allowBackup="true".
  7. Test with adb shell am and content commands: Directly attempt to interact with identified exported components to confirm vulnerabilities.

Conclusion

The AndroidManifest.xml is a treasure trove for security analysis. By systematically reviewing its contents, especially focusing on component export status, associated permissions, and global application settings, security professionals can uncover a wide range of vulnerabilities. This deep dive into the manifest, combined with practical testing using ADB commands, forms a critical first step in securing Android applications against unauthorized access and data compromise.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Security #AndroidManifest.xml #Mobile Security #Reverse Engineering #Vulnerability Analysis

Related Technical Guides

Reverse Engineering Lab: Identifying Vulnerabilities with JADX’s Code Search & Analysis Features

May 29, 2026

Bypassing SSL Pinning with Xposed: A Practical Guide for Android RE

May 30, 2026

Troubleshooting JNI Crashes: A Reverse Engineer’s Guide to Native Exception Analysis

May 30, 2026