2023-02-07 15:04:20 +01:00
Development tools and frameworks usually have options to make debugging easier for developers. Although these features are useful during development, they should never be enabled for applications deployed in production.
2020-06-30 12:49:37 +02:00
2023-02-07 15:04:20 +01:00
In the application manifest element of an android application, setting ``https://developer.android.com/guide/topics/manifest/application-element#debug[android:debuggable]`` property to ``++"true"++`` makes the application debuggable.
2021-02-02 15:02:10 +01:00
2023-02-07 15:04:20 +01:00
This introduces a security risk as it makes it easy for an attacker to reverse engineer the application and eventually steal the user's secrets.
2020-06-30 12:49:37 +02:00
== Ask Yourself Whether
2023-02-07 15:04:20 +01:00
* The development of the app is completed and the ``++debuggable++`` property is set to _true_
* The app is distributed to end users with the ``++debuggable++`` property set to _true_
2020-06-30 12:49:37 +02:00
2023-02-07 15:04:20 +01:00
There is a risk if you answered yes to any of those questions.
2020-06-30 12:49:37 +02:00
== Recommended Secure Coding Practices
2021-02-16 11:54:08 +01:00
It is not recommended to release debuggable application. Avoid hardcoding the debug mode in the manifest because the build tool will add the property automatically and assign the correct value depending on the build type.
2020-06-30 12:49:37 +02:00
== Sensitive Code Example
2021-02-11 16:56:46 +01:00
In ``++AndroidManifest.xml++`` the android debuggable property is set to ``++true++``:
2020-06-30 14:49:38 +02:00
2023-01-09 15:29:41 +01:00
[source,xml]
2020-06-30 12:49:37 +02:00
----
<application
android:icon="@mipmap/ic_launcher"
android:label="@string/app_name"
android:roundIcon="@mipmap/ic_launcher_round"
android:supportsRtl="true"
android:debuggable="true"
android:theme="@style/AppTheme">
</application> <!-- Sensitive -->
----
== Compliant Solution
2021-02-11 16:56:46 +01:00
In ``++AndroidManifest.xml++`` the android debuggable property is set to ``++false++``:
2022-02-04 17:28:24 +01:00
[source,xml]
2020-06-30 12:49:37 +02:00
----
<application
android:icon="@mipmap/ic_launcher"
android:label="@string/app_name"
android:roundIcon="@mipmap/ic_launcher_round"
android:supportsRtl="true"
android:debuggable="false"
android:theme="@style/AppTheme">
</application> <!-- Compliant -->
----
== See
2021-11-01 15:00:32 +01:00
* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration
2021-06-10 10:04:10 +02:00
* https://mobile-security.gitbook.io/masvs/security-requirements/0x12-v7-code_quality_and_build_setting_requirements[Mobile AppSec Verification Standard] - Code Quality and Build Setting Requirements
2022-07-08 13:58:56 +02:00
* https://owasp.org/www-project-mobile-top-10/2016-risks/m10-extraneous-functionality[OWASP Mobile Top 10 2016 Category M10] - Extraneous Functionality
2022-04-07 08:53:59 -05:00
* https://cwe.mitre.org/data/definitions/215[MITRE, CWE-215] - Information Exposure Through Debug Information
2020-06-30 12:49:37 +02:00
* https://developer.android.com/studio/publish/preparing[developer.android.com] - Prepare for release
2021-06-02 20:44:38 +02:00
2021-06-03 09:05:38 +02:00
ifdef::env-github,rspecator-view[]
2021-09-20 15:38:42 +02:00
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
2021-06-08 15:52:13 +02:00
'''
2021-06-02 20:44:38 +02:00
== Comments And Links
(visible only on this page)
include::../comments-and-links.adoc[]
2021-06-03 09:05:38 +02:00
endif::env-github,rspecator-view[]
