Xml Debuggable True In Manifest
Description
Detects when Android applications are configured with debugging enabled in the manifest file. When an app is marked as debuggable, attackers can attach debuggers to inspect and manipulate the running application, potentially exposing sensitive data and functionality.
Detection Strategy
• Scans Android manifest XML files for <application> tags
• Checks if android:debuggable="true" attribute is set on the application tag
• Reports a vulnerability when debugging is explicitly enabled, including the exact location in the file
Vulnerable code example
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.example.myapp">
<application
android:name=".MyApp"
android:debuggable="true" <!-- SECURITY ISSUE: Debug mode enabled can expose sensitive data and debugging features -->
android:icon="@mipmap/ic_launcher"...✅ Secure code example
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.example.myapp">
<application
android:name=".MyApp"
android:allowBackup="false" <!-- Prevents unauthorized data backup -->
android:icon="@mipmap/ic_launcher"...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.