Skip to content

Manifest and component hardening

โ† Back to Security

Manifest and Component Hardening Deep Dive

Overview

Most Android app attack surface is created by manifest and IPC configuration mistakes.

Hardening Checklist

  • Set android:exported explicitly for every component.
  • Guard privileged components with signature permissions.
  • Validate all Intent extras and URI inputs.
  • Disable debug flags and unnecessary permissions in release builds.

Component-Specific Notes

  • Activities: allowlist deep link hosts and sanitize inputs.
  • Services: require caller auth and enforce permission checks.
  • Receivers: avoid broad implicit intents for sensitive actions.

Testing Ideas

  • Intent fuzzing for malformed extras.
  • Spoofed caller tests for exported services/receivers.
  • Manifest policy checks in CI.

Senior-Level Insights

  • Teams that codify these checks in lint and CI avoid most repeat security regressions.