rspec/rules/S4507/xml/rule.adoc

In the application manifest element of an android application, setting ``https://developer.android.com/guide/topics/manifest/application-element#debug[debuggable]`` property to ``++true++`` could introduce a security risk.


It's more easy to perform reverse engineering and inject arbitrary code in the context of a debuggable application.

== Ask Yourself Whether

* the development of the app is completed and the ``++debuggable++`` property is set to _true_
* the app will be published on the Play Store or distributed in any other ways and the ``++debuggable++`` property is set to _true_

You are at risk if you answered yes to any of those questions.

== Recommended Secure Coding Practices

It is not recommended to release debuggable application. Avoid hardcoding the debug mode in the manifest because the build tool will add the property automatically and assign the correct value depending on the build type.

== Sensitive Code Example

In ``++AndroidManifest.xml++`` the android debuggable property is set to ``++true++``:

----
<application
  android:icon="@mipmap/ic_launcher"
  android:label="@string/app_name"
  android:roundIcon="@mipmap/ic_launcher_round"
  android:supportsRtl="true"
  android:debuggable="true"
  android:theme="@style/AppTheme">
</application>  <!-- Sensitive --> 
----

== Compliant Solution

In ``++AndroidManifest.xml++`` the android debuggable property is set to ``++false++``:

[source,xml]
----
<application
  android:icon="@mipmap/ic_launcher"
  android:label="@string/app_name"
  android:roundIcon="@mipmap/ic_launcher_round"
  android:supportsRtl="true"
  android:debuggable="false"
  android:theme="@style/AppTheme">
</application> <!-- Compliant --> 
----

== See

* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration
* https://mobile-security.gitbook.io/masvs/security-requirements/0x12-v7-code_quality_and_build_setting_requirements[Mobile AppSec Verification Standard] - Code Quality and Build Setting Requirements
* https://owasp.org/www-project-mobile-top-10/2016-risks/m10-extraneous-functionality[OWASP Mobile Top 10 2016 Category M10] - Extraneous Functionality
* https://cwe.mitre.org/data/definitions/215[MITRE, CWE-215] - Information Exposure Through Debug Information
* https://developer.android.com/studio/publish/preparing[developer.android.com] - Prepare for release

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
unescape the links inside in-line code 2021-02-08 19:11:39 +01:00			In the application manifest element of an android application, setting ``https://developer.android.com/guide/topics/manifest/application-element#debug[debuggable]`` property to ``++true++`` could introduce a security risk.
Add rules 4000-4999 2020-06-30 12:49:37 +02:00
Force linebreaks 2021-02-02 15:02:10 +01:00
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`It's more easy to perform reverse engineering and inject arbitrary code in the context of a debuggable application.`

			`== Ask Yourself Whether`

make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			* the development of the app is completed and the ``++debuggable++`` property is set to _true_
			* the app will be published on the Play Store or distributed in any other ways and the ``++debuggable++`` property is set to _true_
Add rules 4000-4999 2020-06-30 12:49:37 +02:00
			`You are at risk if you answered yes to any of those questions.`

			`== Recommended Secure Coding Practices`

Disarm the . at the start of a line 2021-02-16 11:54:08 +01:00			`It is not recommended to release debuggable application. Avoid hardcoding the debug mode in the manifest because the build tool will add the property automatically and assign the correct value depending on the build type.`
Add rules 4000-4999 2020-06-30 12:49:37 +02:00
			`== Sensitive Code Example`

update; grammar fixes 2021-02-11 16:56:46 +01:00			In ``++AndroidManifest.xml++`` the android debuggable property is set to ``++true++``:
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`----`
			`<application`
			`android:icon="@mipmap/ic_launcher"`
			`android:label="@string/app_name"`
			`android:roundIcon="@mipmap/ic_launcher_round"`
			`android:supportsRtl="true"`
			`android:debuggable="true"`
			`android:theme="@style/AppTheme">`
			`</application> <!-- Sensitive -->`
			`----`

			`== Compliant Solution`

update; grammar fixes 2021-02-11 16:56:46 +01:00			In ``++AndroidManifest.xml++`` the android debuggable property is set to ``++false++``:

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,xml]`
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`----`
			`<application`
			`android:icon="@mipmap/ic_launcher"`
			`android:label="@string/app_name"`
			`android:roundIcon="@mipmap/ic_launcher_round"`
			`android:supportsRtl="true"`
			`android:debuggable="false"`
			`android:theme="@style/AppTheme">`
			`</application> <!-- Compliant -->`
			`----`

			`== See`

RULEAPI-709: Security rules are mapped to the OWASP Top 10 2021 security-standard (#545) 2021-11-01 15:00:32 +01:00			`* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration`
add mobile security standards, links and tags to mobile rules and add new CWEv4.4 entries (#112) 2021-06-10 10:04:10 +02:00			`* https://mobile-security.gitbook.io/masvs/security-requirements/0x12-v7-code_quality_and_build_setting_requirements[Mobile AppSec Verification Standard] - Code Quality and Build Setting Requirements`
Modify: Fix old/broken embedded links (#1100) 2022-07-08 13:58:56 +02:00			`* https://owasp.org/www-project-mobile-top-10/2016-risks/m10-extraneous-functionality[OWASP Mobile Top 10 2016 Category M10] - Extraneous Functionality`
RULEAPI-755 Update CWE URLs by removing .html suffix and update with https protocol (#926) * Change affects only see.adoc and rule.adoc files, not comments-and-links.adoc files 2022-04-07 08:53:59 -05:00			`* https://cwe.mitre.org/data/definitions/215[MITRE, CWE-215] - Information Exposure Through Debug Information`
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`* https://developer.android.com/studio/publish/preparing[developer.android.com] - Prepare for release`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::../comments-and-links.adoc[]`
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`