high
M8
MASVS-CODE-2
static analysis
PTKD-CFG-TESTONLY
Application marked test-only
android:testOnly="true" marks a development build (installable only via `adb install -t`); it must never be distributed.
How it's exploited
testOnly builds accept instrumentation from test harnesses, so automation frameworks can puppet the app and its data.
Why it matters
A build meant for CI leaks to users with instrumentation doors open.
How to fix it
- Ship release builds from your release pipeline only; testOnly is set by IDE "Run" installs, not proper builds.
- Add the PTKD build gate to CI so a testOnly binary never reaches a store track.
References