In the application manifest element of an android application, setting debuggable property to true could
introduce a security risk.
It’s more easy to perform reverse engineering and inject arbitrary code in the context of a debuggable application.
Ask Yourself Whether
- the development of the app is completed and the
debuggable property is set to true
- the app will be published on the Play Store or distributed in any other ways and the
debuggable property is set to true
You are at risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
It is not recommended to release debuggable application. Avoid hardcoding the debug mode in the manifest because the build tool will add the
property automatically and assign the correct value depending on the build type.
Sensitive Code Example
In AndroidManifest.xml the android debuggable property is set to true:
<application
android:icon="@mipmap/ic_launcher"
android:label="@string/app_name"
android:roundIcon="@mipmap/ic_launcher_round"
android:supportsRtl="true"
android:debuggable="true"
android:theme="@style/AppTheme">
</application> <!-- Sensitive -->
Compliant Solution
In AndroidManifest.xml the android debuggable property is set to false:
<application
android:icon="@mipmap/ic_launcher"
android:label="@string/app_name"
android:roundIcon="@mipmap/ic_launcher_round"
android:supportsRtl="true"
android:debuggable="false"
android:theme="@style/AppTheme">
</application> <!-- Compliant -->
See
