rspec/rules/S4507/xml/rule.adoc

In the application manifest element of an android application, setting <code>https://developer.android.com/guide/topics/manifest/application-element#debug[debuggable]</code> property to <code>true</code> could introduce a security risk.

It's more easy to perform reverse engineering and inject arbitrary code in the context of a debuggable application.

== Ask Yourself Whether

* the development of the app is completed and the <code>debuggable</code> property is set to _true_
* the app will be published on the Play Store or distributed in any other ways and the <code>debuggable</code> property is set to _true_

You are at risk if you answered yes to any of those questions.

== Recommended Secure Coding Practices

* It is not recommended to release debuggable application. Avoid hardcoding the debug mode in the manifest because the build tool will add the property automatically and assign the correct value depending on the build type.

== Sensitive Code Example

In AndroidManifest.xml:

----
<application
  android:icon="@mipmap/ic_launcher"
  android:label="@string/app_name"
  android:roundIcon="@mipmap/ic_launcher_round"
  android:supportsRtl="true"
  android:debuggable="true"
  android:theme="@style/AppTheme">
</application>  <!-- Sensitive --> 
----

== Compliant Solution

----
<application
  android:icon="@mipmap/ic_launcher"
  android:label="@string/app_name"
  android:roundIcon="@mipmap/ic_launcher_round"
  android:supportsRtl="true"
  android:debuggable="false"
  android:theme="@style/AppTheme">
</application> <!-- Compliant --> 
----

== See

* https://www.owasp.org/index.php/Mobile_Top_10_2016-M10-Extraneous_Functionality[OWASP Mobile Top 10 2016 Category M10] - Extraneous Functionality
* https://cwe.mitre.org/data/definitions/215.html[CWE-215] - Information Exposure Through Debug Information
* https://developer.android.com/studio/publish/preparing[developer.android.com] - Prepare for release
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`In the application manifest element of an android application, setting <code>https://developer.android.com/guide/topics/manifest/application-element#debug[debuggable]</code> property to <code>true</code> could introduce a security risk.`

			`It's more easy to perform reverse engineering and inject arbitrary code in the context of a debuggable application.`

			`== Ask Yourself Whether`

Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00			`* the development of the app is completed and the <code>debuggable</code> property is set to _true_`
			`* the app will be published on the Play Store or distributed in any other ways and the <code>debuggable</code> property is set to _true_`
Add rules 4000-4999 2020-06-30 12:49:37 +02:00
			`You are at risk if you answered yes to any of those questions.`

			`== Recommended Secure Coding Practices`

Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00			`* It is not recommended to release debuggable application. Avoid hardcoding the debug mode in the manifest because the build tool will add the property automatically and assign the correct value depending on the build type.`
Add rules 4000-4999 2020-06-30 12:49:37 +02:00
			`== Sensitive Code Example`

			`In AndroidManifest.xml:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`----`
			`<application`
			`android:icon="@mipmap/ic_launcher"`
			`android:label="@string/app_name"`
			`android:roundIcon="@mipmap/ic_launcher_round"`
			`android:supportsRtl="true"`
			`android:debuggable="true"`
			`android:theme="@style/AppTheme">`
			`</application> <!-- Sensitive -->`
			`----`

			`== Compliant Solution`

			`----`
			`<application`
			`android:icon="@mipmap/ic_launcher"`
			`android:label="@string/app_name"`
			`android:roundIcon="@mipmap/ic_launcher_round"`
			`android:supportsRtl="true"`
			`android:debuggable="false"`
			`android:theme="@style/AppTheme">`
			`</application> <!-- Compliant -->`
			`----`

			`== See`

Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00			`* https://www.owasp.org/index.php/Mobile_Top_10_2016-M10-Extraneous_Functionality[OWASP Mobile Top 10 2016 Category M10] - Extraneous Functionality`
			`* https://cwe.mitre.org/data/definitions/215.html[CWE-215] - Information Exposure Through Debug Information`
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`* https://developer.android.com/studio/publish/preparing[developer.android.com] - Prepare for release`