Introduction
Android applications rely on the AndroidManifest.xml file to define core components and their accessibility. One critical attribute in this file is android:exported, which determines whether a component can be accessed by other applications.
When misconfigured, especially with android:exported="true", internal app components may become exposed to external apps — potentially leading to unauthorized access, intent injection, or privilege escalation.
In this blog, we explore what happens when this attribute is improperly configured and how it can introduce security risks in Android applications.
What Is the AndroidManifest.xml File?
Every Android application contains a file called AndroidManifest.xml. It is one of the most important configuration files in an Android app.
This file defines:
- App components (Activities, Services, Broadcast Receivers, Content Providers)
- App permissions (Internet, Camera, Location, etc.)
- Minimum Android version requirements
- Hardware and software features used by the app
- Security-related configurations
In simple terms, the AndroidManifest.xml file tells the Android operating system:
“What components does this app have, and how should they behave?”
For example, it defines which activity launches first, what permissions the app needs, and whether certain components can be accessed by other applications.
Because it controls component exposure and permissions, any misconfiguration in this file can directly impact the app’s security — including issues related to the android:exported attribute.
Application Overview
Before diving into the exploitation, let’s first understand the functionality of the application.
The target application, SecretKeeper, is designed to securely store user passwords. It acts as a simple password manager where users can save and manage their credentials.
Below is the initial interface of the application, where the user is required to enter the master password to access the stored secrets.
After signing in, the application displays the stored passwords associated with the user account.
Exploitation
The screenshot below shows the AndroidManifest.xml file, where the activity is configured with android:exported="true".
This means the activity is accessible to other applications on the device, potentially exposing internal functionality if proper access controls are not implemented.
The screenshot below shows that all background applications have been cleared before performing the test.
Now, we will attempt to directly invoke the exported activity using ADB.
Open the ADB shell and execute the following command:
<aside> 💡
Command: am start -n com.mwr.example.sieve/.PWList
</aside>
This command uses Android’s Activity Manager to directly launch the PWList activity inside the Sieve application.
com.mwr.example.sieve is the package name, and .PWList refers to a specific activity within that app.
By executing this command, the normal application flow (such as a login screen) is bypassed, and the internal activity is opened directly.
If the activity is marked as android:exported=”true” and lacks proper authentication checks, this could result in unauthorized access to sensitive functionality.
Mitigation
To prevent such vulnerabilities:
- Set
android:exported="false"for internal components that do not require external access. - Enforce proper runtime authentication and authorization checks within the activity.
- Apply the principle of least privilege when exposing components.
- Review AndroidManifest.xml configurations during secure code reviews and security testing.
Security should never rely solely on manifest-level configuration. Critical components must always validate user authorization at runtime.
Conclusion
A single misconfigured attribute in the AndroidManifest.xml file can lead to serious security consequences.
This example demonstrates how android:exported="true" — when improperly used — can allow attackers to bypass authentication and access sensitive functionality.
Secure configuration, combined with strong access control validation, is essential to building resilient Android applications.
