android:debuggable

OWASP category: MASVS-PLATFORM: Platform Interaction

Overview

The android:debuggable attribute sets whether the application is debuggable. It is set for the application as a whole and can not be overridden by individual components. The attribute is set to false by default.

Allowing the application to be debuggable in itself is not a vulnerability, but it does expose the application to greater risk through unintended and unauthorized access to administrative functions. This can allow attackers more access to the application and resources used by the application than intended.

Impact

Setting the android:debuggable flag to true enables an attacker to debug the application, making it easier for them to gain access to parts of the application that should be kept secure.

Mitigations

Always make sure to set the android:debuggable flag to false when shipping your application.