Android debuggable attribute enabled¶
ID: java/android/debuggable-attribute-enabled Kind: problem Security severity: 7.2 Severity: warning Precision: very-high Tags: - security - external/cwe/cwe-489 Query suites: - java-code-scanning.qls - java-security-extended.qls - java-security-and-quality.qls Click to see the query in the CodeQL repository
The Android manifest file defines configuration settings for Android applications. In this file, the android:debuggable attribute of the application element can be used to define whether or not the application can be debugged. When set to true, this attribute will allow the application to be debugged even when running on a device in user mode.
When a debugger is enabled, it could allow for entry points in the application or reveal sensitive information. As a result, android:debuggable should only be enabled during development and should be disabled in production builds.
Recommendation¶
In Android applications, either set the android:debuggable attribute to false, or do not include it in the manifest. The default value, when not included, is false.
Example¶
In the example below, the android:debuggable attribute is set to true.
<manifest ... > <!-- BAD: 'android:debuggable' set to 'true' --> <application android:debuggable="true"> <activity ... > </activity> </application> </manifest> The corrected version sets the android:debuggable attribute to false.
<manifest ... > <!-- GOOD: 'android:debuggable' set to 'false' --> <application android:debuggable="false"> <activity ... > </activity> </application> </manifest> References¶
Android Developers: App Manifest Overview.
Android Developers: The android:debuggable attribute.
Android Developers: Enable debugging.
Common Weakness Enumeration: CWE-489.