69 lines
2.6 KiB
Plaintext
69 lines
2.6 KiB
Plaintext
In the application manifest element of an android application, setting ``https://developer.android.com/guide/topics/manifest/application-element#debug[debuggable]`` property to ``++true++`` could introduce a security risk.
|
|
|
|
|
|
It's more easy to perform reverse engineering and inject arbitrary code in the context of a debuggable application.
|
|
|
|
== Ask Yourself Whether
|
|
|
|
* the development of the app is completed and the ``++debuggable++`` property is set to _true_
|
|
* the app will be published on the Play Store or distributed in any other ways and the ``++debuggable++`` property is set to _true_
|
|
|
|
You are at risk if you answered yes to any of those questions.
|
|
|
|
== Recommended Secure Coding Practices
|
|
|
|
It is not recommended to release debuggable application. Avoid hardcoding the debug mode in the manifest because the build tool will add the property automatically and assign the correct value depending on the build type.
|
|
|
|
== Sensitive Code Example
|
|
|
|
In ``++AndroidManifest.xml++`` the android debuggable property is set to ``++true++``:
|
|
|
|
----
|
|
<application
|
|
android:icon="@mipmap/ic_launcher"
|
|
android:label="@string/app_name"
|
|
android:roundIcon="@mipmap/ic_launcher_round"
|
|
android:supportsRtl="true"
|
|
android:debuggable="true"
|
|
android:theme="@style/AppTheme">
|
|
</application> <!-- Sensitive -->
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
In ``++AndroidManifest.xml++`` the android debuggable property is set to ``++false++``:
|
|
|
|
----
|
|
<application
|
|
android:icon="@mipmap/ic_launcher"
|
|
android:label="@string/app_name"
|
|
android:roundIcon="@mipmap/ic_launcher_round"
|
|
android:supportsRtl="true"
|
|
android:debuggable="false"
|
|
android:theme="@style/AppTheme">
|
|
</application> <!-- Compliant -->
|
|
----
|
|
|
|
== See
|
|
|
|
* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration
|
|
* https://mobile-security.gitbook.io/masvs/security-requirements/0x12-v7-code_quality_and_build_setting_requirements[Mobile AppSec Verification Standard] - Code Quality and Build Setting Requirements
|
|
* https://www.owasp.org/index.php/Mobile_Top_10_2016-M10-Extraneous_Functionality[OWASP Mobile Top 10 2016 Category M10] - Extraneous Functionality
|
|
* https://cwe.mitre.org/data/definitions/215.html[MITRE, CWE-215] - Information Exposure Through Debug Information
|
|
* https://developer.android.com/studio/publish/preparing[developer.android.com] - Prepare for release
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|