PTKDMobile App Security
Knowledge base / PTKD-CFG-TESTONLY
high M8 MASVS-CODE-2 static analysis PTKD-CFG-TESTONLY

Application marked test-only

android:testOnly="true" marks a development build (installable only via `adb install -t`); it must never be distributed.

How it's exploited

testOnly builds accept instrumentation from test harnesses, so automation frameworks can puppet the app and its data.

Why it matters

A build meant for CI leaks to users with instrumentation doors open.

How to fix it

  1. Ship release builds from your release pipeline only; testOnly is set by IDE "Run" installs, not proper builds.
  2. Add the PTKD build gate to CI so a testOnly binary never reaches a store track.

References