module injects malformed XML (oaid_settings_legacy.xml), breaking NetworkSecurityConfig resolution and causing fatal initialization crashes

[lapinpt]

Overview

The Magisk/APatch module HyperOS_SecurityCenterV5 introduces a critical regression by deploying a malformed XML resource under the SecurityCenter package path.
The injected file:

oaid_settings_legacy.xml

does not conform to the expected Android network-security-config schema.
Instead, it contains a Settings PreferenceScreen XML, which is fundamentally incompatible with the expected parser.

This invalid XML leaks into the NetworkSecurityConfigProvider pipeline during application initialization, causing the SecurityCenter process to terminate before Application.onCreate().

This results in a cascade failure across the HyperOS permission and policy enforcement subsystem.

Root Cause (Technical Detail)

During SecurityCenter startup, Android performs the following:

Loads the app’s declared networkSecurityConfig from its manifest.

Invokes:

android.security.net.config.XmlConfigSource.ensureInitialized()

The injected XML is parsed by:

XmlConfigSource.parseNetworkSecurityConfig()

The parser expects:

but receives:

This triggers a hard exception inside the ART runtime before class loading completes:

Logcat excerpt:
java.lang.RuntimeException: Failed to parse XML configuration from oaid_settings_legacy
Caused by: org.xmlpull.v1.XmlPullParserException:
Unexpected start tag: found PreferenceScreen, expected network-security-config

Because the crash occurs inside the native SSL configuration loader, before the app has created a Looper or registered with ActivityThread, the process cannot recover.

This produces:

Continuous process death loops

Permission controller deadlocks

Crashes from dependent components

System Impact

SecurityCenter (UID 1000, system process) is responsible for:

Permission policy enforcement

AppOps dispatch

Security scanning API

Throttling and rate limiting

Device policy hooks

Calendar provider permission brokering

ApplicationDetailsActivity inspection

When SecurityCenter fails to initialize:

Any permission request fails or becomes inconsistent

System Calendar provider throws exceptions (“Read and add calendar data keeps stopping”)

App details UI crashes

AppManager cannot attach

MIUI/HyperOS overlays using android.intent.action.APP_MANAGER_APPLICATION_DETAIL fail

AppOpsService receives null configs

PackageManagerService logs unexpected activity and permission state anomalies

Dex2oat background jobs may stall due to missing policy hooks

The impact persists even after module removal, because the malformed file remains in the filesystem.

Location of the corrupted file

The module deploys oaid_settings_legacy.xml into one or more of these search paths used by SecurityCenter’s resource resolution chain:

/data/system/
/data/system/users/0/
/product/priv-app/SecurityCenter/
/product/etc/
/system_ext/etc/
/data/

Most likely:

/product/etc/ or /data/system/

This overrides the app’s internal resource table due to MIUI/HyperOS overlay precedence rules.

Required Manual Remediation

To restore stable behavior, the corrupted XML must be purged manually:

find /data -name "oaid_settings_legacy" -delete
find /product -name "oaid_settings_legacy" -delete
find /system_ext -name "oaid_settings_legacy" -delete

pm clear com.miui.securitycenter
pm clear com.miui.securitycore
rm -rf /data/system/package_cache/*
reboot

After reboot, the APEX-based security config resolver regenerates valid configurations and SecurityCenter initializes normally.

Device and System Environment
Model: Xiaomi 2312DRA50G
Codename: garnet
CPU ABI: arm64-v8a

Android version: 15
Build ID: AQ3A.240912.001
HyperOS version: V816 (816)

Root solution:

• Magisk: c3db2e36-alpha:MAGISK:R

SecurityCenter packages:

• com.miui.securitycenter → /product/priv-app/SecurityCenter/SecurityCenter.apk
• com.miui.securitycore → /product/app/SecurityCoreAdd/SecurityCoreAdd.apk

Module under test:

HyperOS_SecurityCenterV5
Source: Mods-Center (GitHub)

Conclusion

The module introduces a schema-breaking XML injection into the SecurityCenter’s resource hierarchy, violating the expected network-security-config format and causing a fatal boot-loop in the SecurityCenter process (UID 1000).
This destabilizes permission, AppOps, and policy subsystems across HyperOS.

This is a critical system-breaking flaw that survives module removal.