Security

    OWASP Mobile M8: Security Misconfiguration

    A 2026 view of OWASP Mobile M8 security misconfiguration showing insecure settings like a debuggable build and exported components hardened on a release checklist

    Some of the most common mobile vulnerabilities are not coding mistakes at all, but settings: a debug flag left on, a component exported by accident, backups allowed for sensitive data, cleartext permitted in the network config. Individually each is a small toggle; together they are the category OWASP calls M8, Security Misconfiguration, in its Mobile Top 10. The dangerous thing about misconfigurations is that the app works perfectly with them in place, so they slip through unless you look for them. Here is what M8 is, the misconfigurations it covers, and how to find and fix them before release.

    Short answer

    M8, Security Misconfiguration, is the OWASP Mobile Top 10 risk that arises from insecure settings rather than insecure code: debug features left enabled, components exported when they should be private, backups allowed for sensitive data, cleartext traffic permitted, weak file permissions, default credentials, or verbose error messages. Per OWASP, these stem from insecure defaults or settings not hardened for production, and they expose data or functionality even though the code may be sound. The fix is to apply secure configuration: disable debugging in release builds, export only what must be exported and protect it, restrict backups and file permissions, disallow cleartext, and remove default credentials. The app works the same with these set correctly, so the only way to catch them is to check.

    What you should know

    • M8 is about settings, not code: insecure configuration, not a coding bug.
    • The app works regardless: misconfigurations do not break functionality.
    • Common cases: debuggable, exported components, backups, cleartext, permissions.
    • They come from insecure defaults: or settings not hardened for production.
    • You have to check: nothing visible breaks, so the only catch is review.

    What is M8: Security Misconfiguration?

    It is the risk that an app's configuration, rather than its code, leaves it exposed. Mobile platforms have many settings that affect security: whether the app is debuggable, which components other apps can call, whether the app's data can be backed up, whether cleartext network traffic is allowed, what permissions files are created with, and more. A security misconfiguration is any of these set insecurely, often because it was left at a development value or a permissive default and never hardened for production. The defining property is that the app keeps working normally, a debuggable release runs fine, an over-exported component still serves its own app, cleartext still connects, so nothing prompts you to notice, while the misconfiguration quietly widens the attack surface. M8 collects these settings-level exposures because they are common, easy to introduce, and invisible in normal use, which makes deliberate review the only reliable way to catch them.

    What does misconfiguration look like?

    A set of recurring settings left in an insecure state. The table lists common ones.

    MisconfigurationWhy it matters
    Debuggable release buildAllows debugging and inspection of a production app
    Over-exported componentsOther apps can reach activities, services, or receivers
    Backups allowed for sensitive dataData swept into device or cloud backups
    Cleartext traffic permittedNetwork data exposed to interception
    Weak file permissionsFiles readable or writable beyond the app
    Default credentials or verbose errorsBuilt-in accounts or leaky error messages

    Each of these is a toggle or declaration that should be set conservatively for release. A debuggable flag left enabled lets anyone attach a debugger to a production app; a component exported without protection lets other apps invoke it; allowing backups can sweep sensitive data into backups; permitting cleartext exposes traffic; overly permissive file permissions let other apps read or write your files; and default credentials or verbose error messages hand attackers a starting point. None of them break the app, which is exactly why they persist into production unless someone checks the configuration deliberately.

    How do you address M8?

    Harden the configuration for production and verify it. Disable debugging and remove debugging aids in release builds, so a shipped app is not debuggable. Review which components your app exports and export only those that genuinely need to be reachable by other apps, protecting them appropriately, while keeping the rest private. Restrict backups so sensitive data is not included, and set file permissions so files are private to your app rather than world-accessible. Disallow cleartext traffic in your network configuration so all communication is encrypted. Remove any default or built-in credentials, and make error messages non-verbose so they do not leak internal detail. Treat secure configuration as a release checklist, since these settings do not surface in functional testing, and confirm each is set for production rather than left at a development or default value. The principle is that the app's settings should be hardened deliberately, not inherited from defaults, because a misconfiguration is invisible until someone, or an attacker, looks.

    What to watch out for

    The first trap is assuming functional testing catches misconfigurations; it does not, since the app works the same either way, so they need a dedicated configuration review. The second is shipping development settings, a debuggable build, a permissive network config, into production. The third is over-exporting components or allowing backups for data that should stay private. A pre-submission scan such as PTKD.com (https://ptkd.com) is well suited to M8: it reads the compiled app against OWASP MASVS and surfaces configuration like the debuggable flag, exported components, backup and cleartext settings, and permissions, which is precisely the settings-level surface that does not show up in normal testing.

    What to take away

    • M8, Security Misconfiguration, is the OWASP Mobile Top 10 risk arising from insecure settings rather than insecure code, such as debuggable builds, over-exported components, allowed backups, and cleartext traffic.
    • Misconfigurations are dangerous because the app works normally with them in place, so they persist into production unless someone checks deliberately.
    • Address them by hardening configuration for release: disable debugging, export and protect only what must be, restrict backups and file permissions, disallow cleartext, and remove default credentials.
    • A pre-submission scan such as PTKD.com is well suited to surfacing these settings-level exposures that functional testing misses.
    • #owasp-mobile-top-10
    • #m8
    • #security-misconfiguration
    • #debuggable
    • #exported-components
    • #configuration
    • #mobile

    Frequently asked questions

    What is OWASP Mobile M8?
    M8, Security Misconfiguration, is the OWASP Mobile Top 10 risk that an app's configuration, rather than its code, leaves it exposed. Mobile platforms have many security-relevant settings, whether the app is debuggable, which components other apps can call, whether data can be backed up, whether cleartext is allowed, what permissions files use, and a misconfiguration is any of these set insecurely, often a development value or permissive default never hardened for production. It collects settings-level exposures that are common, easy to introduce, and invisible in normal use.
    Why are misconfigurations easy to miss?
    Because the app keeps working normally with them in place. A debuggable release runs fine, an over-exported component still serves its own app, cleartext still connects, so nothing in functional testing prompts you to notice, while the misconfiguration quietly widens the attack surface. That invisibility is the defining property of M8, and it is why deliberate configuration review, or a scan that reads these settings, is the only reliable way to catch them, rather than expecting normal testing or QA to surface a setting that does not break anything.
    What are common mobile security misconfigurations?
    A debuggable flag left enabled in a release build, components exported without protection so other apps can invoke them, backups allowed for sensitive data, cleartext network traffic permitted, overly permissive file permissions that let other apps read or write your files, and default or built-in credentials and verbose error messages that leak internal detail. Each is a toggle or declaration that should be set conservatively for production but is often left at a development or default value because it does not break the app.
    How do I address security misconfiguration?
    Harden the configuration for production and verify it as a release checklist. Disable debugging in release builds, export and protect only the components that must be reachable while keeping the rest private, restrict backups so sensitive data is excluded, set file permissions to private, disallow cleartext so all traffic is encrypted, and remove default credentials and verbose error messages. Because these settings do not surface in functional testing, confirm each is set for production deliberately rather than inherited from a default or development value.
    Can a scan find security misconfigurations?
    Yes, M8 is particularly well suited to scanning. A pre-submission scan such as PTKD.com reads the compiled app against OWASP MASVS and surfaces configuration like the debuggable flag, exported components, backup and cleartext settings, and file permissions, which is exactly the settings-level surface that does not appear in normal functional testing. That gives you a checklist of what is set insecurely before release, so you can harden each setting, the things a static look at the build can catch better than manual QA.

    Keep reading

    Scan your app in minutes

    Upload an APK, AAB, or IPA. PTKD returns an OWASP-aligned report with copy-paste fixes.

    Try PTKD free