CodeQL documentation

Android debuggable attribute enabled

ID: java/android/debuggable-attribute-enabled
Kind: problem
Security severity: 7.2
Severity: warning
Precision: very-high
   - security
   - external/cwe/cwe-489
Query suites:
   - java-code-scanning.qls
   - java-security-extended.qls
   - java-security-and-quality.qls

Click to see the query in the CodeQL repository

The Android manifest file defines configuration settings for Android applications. In this file, the android:debuggable attribute of the application element can be used to define whether or not the application can be debugged. When set to true, this attribute will allow the application to be debugged even when running on a device in user mode.

When a debugger is enabled, it could allow for entry points in the application or reveal sensitive information. As a result, android:debuggable should only be enabled during development and should be disabled in production builds.


In Android applications, either set the android:debuggable attribute to false, or do not include it in the manifest. The default value, when not included, is false.


In the example below, the android:debuggable attribute is set to true.

<manifest ... >
    <!-- BAD: 'android:debuggable' set to 'true' -->
        <activity ... >

The corrected version sets the android:debuggable attribute to false.

<manifest ... >
    <!-- GOOD: 'android:debuggable' set to 'false' -->
        <activity ... >


  • © GitHub, Inc.
  • Terms
  • Privacy