Android debuggable attribute enabled¶

ID: java/android/debuggable-attribute-enabled
Kind: problem
Security severity: 7.2
Severity: warning
Precision: very-high
Tags:
   - security
   - external/cwe/cwe-489
Query suites:
   - java-code-scanning.qls
   - java-security-extended.qls
   - java-security-and-quality.qls

Click to see the query in the CodeQL repository

The Android manifest file defines configuration settings for Android applications. In this file, the android:debuggable attribute of the application element can be used to define whether or not the application can be debugged. When set to true, this attribute will allow the application to be debugged even when running on a device in user mode.

When a debugger is enabled, it could allow for entry points in the application or reveal sensitive information. As a result, android:debuggable should only be enabled during development and should be disabled in production builds.

Recommendation¶

In Android applications, either set the android:debuggable attribute to false, or do not include it in the manifest. The default value, when not included, is false.

Example¶

In the example below, the android:debuggable attribute is set to true.

<manifest ... >
    <!-- BAD: 'android:debuggable' set to 'true' -->
    <application
        android:debuggable="true">
        <activity ... >
        </activity>
    </application>
</manifest>

The corrected version sets the android:debuggable attribute to false.

<manifest ... >
    <!-- GOOD: 'android:debuggable' set to 'false' -->
    <application
        android:debuggable="false">
        <activity ... >
        </activity>
    </application>
</manifest>

References¶

Android Developers: App Manifest Overview.
Android Developers: The android:debuggable attribute.
Android Developers: Enable debugging.
Common Weakness Enumeration: CWE-489.

© GitHub, Inc.
Terms
Privacy