Xml Android Debuggable True
Description
Detects when Android applications have debugging enabled in their manifest file through the android:debuggable="true" setting. When debugging is enabled in production, attackers can attach debuggers to inspect application internals, extract sensitive data, and potentially modify runtime behavior.
Detection Strategy
• Search AndroidManifest.xml files for <application> tags
• Check if the android:debuggable attribute is explicitly set to 'true' (case-insensitive)
• Report a vulnerability if debugging is enabled, including the exact line and column where this configuration was found
Vulnerable code example
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.example.app">
<application
android:debuggable="true"> <!-- SECURITY RISK: Debug mode enabled in manifest allows attackers to access app data -->
<activity android:name=".MainActivity">
<intent-filter>
<action android:name="android.intent.action.MAIN" />...✅ Secure code example
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.example.app">
<application
android:debuggable="false"> <!-- Set debuggable to false for production releases -->
<activity android:name=".MainActivity">
<intent-filter>
<action android:name="android.intent.action.MAIN" />...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.