Some of the most common mobile vulnerabilities are not coding mistakes at all, but settings: a debug flag left on, a component exported by accident, backups allowed for sensitive data, cleartext permitted in the network config. Individually each is a small toggle; together they are the category OWASP calls M8, Security Misconfiguration, in its Mobile Top 10. The dangerous thing about misconfigurations is that the app works perfectly with them in place, so they slip through unless you look for them. Here is what M8 is, the misconfigurations it covers, and how to find and fix them before release.
Short answer
M8, Security Misconfiguration, is the OWASP Mobile Top 10 risk that arises from insecure settings rather than insecure code: debug features left enabled, components exported when they should be private, backups allowed for sensitive data, cleartext traffic permitted, weak file permissions, default credentials, or verbose error messages. Per OWASP, these stem from insecure defaults or settings not hardened for production, and they expose data or functionality even though the code may be sound. The fix is to apply secure configuration: disable debugging in release builds, export only what must be exported and protect it, restrict backups and file permissions, disallow cleartext, and remove default credentials. The app works the same with these set correctly, so the only way to catch them is to check.
What you should know
- M8 is about settings, not code: insecure configuration, not a coding bug.
- The app works regardless: misconfigurations do not break functionality.
- Common cases: debuggable, exported components, backups, cleartext, permissions.
- They come from insecure defaults: or settings not hardened for production.
- You have to check: nothing visible breaks, so the only catch is review.
What is M8: Security Misconfiguration?
It is the risk that an app's configuration, rather than its code, leaves it exposed. Mobile platforms have many settings that affect security: whether the app is debuggable, which components other apps can call, whether the app's data can be backed up, whether cleartext network traffic is allowed, what permissions files are created with, and more. A security misconfiguration is any of these set insecurely, often because it was left at a development value or a permissive default and never hardened for production. The defining property is that the app keeps working normally, a debuggable release runs fine, an over-exported component still serves its own app, cleartext still connects, so nothing prompts you to notice, while the misconfiguration quietly widens the attack surface. M8 collects these settings-level exposures because they are common, easy to introduce, and invisible in normal use, which makes deliberate review the only reliable way to catch them.
What does misconfiguration look like?
A set of recurring settings left in an insecure state. The table lists common ones.
| Misconfiguration | Why it matters |
|---|---|
| Debuggable release build | Allows debugging and inspection of a production app |
| Over-exported components | Other apps can reach activities, services, or receivers |
| Backups allowed for sensitive data | Data swept into device or cloud backups |
| Cleartext traffic permitted | Network data exposed to interception |
| Weak file permissions | Files readable or writable beyond the app |
| Default credentials or verbose errors | Built-in accounts or leaky error messages |
Each of these is a toggle or declaration that should be set conservatively for release. A debuggable flag left enabled lets anyone attach a debugger to a production app; a component exported without protection lets other apps invoke it; allowing backups can sweep sensitive data into backups; permitting cleartext exposes traffic; overly permissive file permissions let other apps read or write your files; and default credentials or verbose error messages hand attackers a starting point. None of them break the app, which is exactly why they persist into production unless someone checks the configuration deliberately.
How do you address M8?
Harden the configuration for production and verify it. Disable debugging and remove debugging aids in release builds, so a shipped app is not debuggable. Review which components your app exports and export only those that genuinely need to be reachable by other apps, protecting them appropriately, while keeping the rest private. Restrict backups so sensitive data is not included, and set file permissions so files are private to your app rather than world-accessible. Disallow cleartext traffic in your network configuration so all communication is encrypted. Remove any default or built-in credentials, and make error messages non-verbose so they do not leak internal detail. Treat secure configuration as a release checklist, since these settings do not surface in functional testing, and confirm each is set for production rather than left at a development or default value. The principle is that the app's settings should be hardened deliberately, not inherited from defaults, because a misconfiguration is invisible until someone, or an attacker, looks.
What to watch out for
The first trap is assuming functional testing catches misconfigurations; it does not, since the app works the same either way, so they need a dedicated configuration review. The second is shipping development settings, a debuggable build, a permissive network config, into production. The third is over-exporting components or allowing backups for data that should stay private. A pre-submission scan such as PTKD.com (https://ptkd.com) is well suited to M8: it reads the compiled app against OWASP MASVS and surfaces configuration like the debuggable flag, exported components, backup and cleartext settings, and permissions, which is precisely the settings-level surface that does not show up in normal testing.
What to take away
- M8, Security Misconfiguration, is the OWASP Mobile Top 10 risk arising from insecure settings rather than insecure code, such as debuggable builds, over-exported components, allowed backups, and cleartext traffic.
- Misconfigurations are dangerous because the app works normally with them in place, so they persist into production unless someone checks deliberately.
- Address them by hardening configuration for release: disable debugging, export and protect only what must be, restrict backups and file permissions, disallow cleartext, and remove default credentials.
- A pre-submission scan such as PTKD.com is well suited to surfacing these settings-level exposures that functional testing misses.



