Android debuggable attribute enabled¶
ID: java/android/debuggable-attribute-enabled
Kind: problem
Security severity: 7.2
Severity: warning
Precision: very-high
Tags:
- security
- external/cwe/cwe-489
Query suites:
- java-code-scanning.qls
- java-security-extended.qls
- java-security-and-quality.qls
Click to see the query in the CodeQL repository
The Android manifest file defines configuration settings for Android applications. In this file, the android:debuggable attribute of the application element can be used to define whether or not the application can be debugged. When set to true, this attribute will allow the application to be debugged even when running on a device in user mode.
When a debugger is enabled, it could allow for entry points in the application or reveal sensitive information. As a result, android:debuggable should only be enabled during development and should be disabled in production builds.
Recommendation¶
In Android applications, either set the android:debuggable attribute to false, or do not include it in the manifest. The default value, when not included, is false.
Example¶
In the example below, the android:debuggable attribute is set to true.
... >
android:debuggable="true">
... >
The corrected version sets the android:debuggable attribute to false.
... >
android:debuggable="false">
... >
References¶
Android Developers: App Manifest Overview.
Android Developers: The android:debuggable attribute.
Android Developers: Enable debugging.
Common Weakness Enumeration: CWE-489.