logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Debugging enabled in production - APK - Android

Need

Disable debugging in production APKs to prevent unauthorized access

Context

  1. Usage of Android development for mobile applications
  2. Ensuring production APKs do not expose debugging capabilities

Description

Insecure Code Example

<manifest ...>
    <application
        android:name=".MyApplication"
        android:debuggable="true"
        android:label="@string/app_name"
        android:theme="@style/AppTheme">
    </application>
</manifest>

In this AndroidManifest.xml configuration, the `android:debuggable` attribute is either set to `true` or is missing, which defaults to `false` in release builds but might be enabled due to misconfigurations. If `android:debuggable="true"` is present in a production APK, attackers can connect to the application via ADB and execute debugging commands, potentially exposing sensitive data, internal logic, and even allowing code injection. To mitigate this risk, the `android:debuggable` attribute should be explicitly set to `false` in the AndroidManifest.xml file or managed via build configurations.

Steps

  1. Open the AndroidManifest.xml file of your application.
  2. Ensure that `android:debuggable` is not set to `true` in the `<application>` tag.
  3. Open the build.gradle file and verify that `debuggable false` is enforced for release builds.
  4. Rebuild the application and confirm that the production APK does not have debugging enabled.

Secure Code Example

<manifest ...>
    <application
        android:name=".MyApplication"
        android:label="@string/app_name"
        android:theme="@style/AppTheme">
    </application>
</manifest>

// Ensure proper configuration in build.gradle
android {
    buildTypes {
        release {
            debuggable false
        }
    }
}

This corrected AndroidManifest.xml configuration explicitly removes the `android:debuggable` attribute, relying on the build system to set it correctly. By default, Android's release builds disable debugging, but to ensure no accidental misconfiguration occurs, it is recommended to verify that `debuggable` is not set to `true` manually. Additionally, the Gradle build configuration should enforce this security setting by ensuring that debugging is only enabled in debug builds.

References

  • 058 - Debugging enabled in production - APK

    • Last updated

    2025/04/03