Debugging enabled in production - APK - android

Debugging enabled in production - APK - android

Need

Disable debugging in production APKs to prevent unauthorized access

Context

  • Usage of Android development for mobile applications
  • Ensuring production APKs do not expose debugging capabilities

Description

Non compliant code

        <manifest ...>
    <application
        android:name=".MyApplication"
        android:debuggable="true"
        android:label="@string/app_name"
        android:theme="@style/AppTheme">
    </application>
</manifest>

        
        

In this AndroidManifest.xml configuration, the android:debuggable attribute is either set to true or is missing, which defaults to false in release builds but might be enabled due to misconfigurations.

If android:debuggable="true" is present in a production APK, attackers can connect to the application via ADB and execute debugging commands, potentially exposing sensitive data, internal logic, and even allowing code injection.

To mitigate this risk, the android:debuggable attribute should be explicitly set to false in the AndroidManifest.xml file or managed via build configurations.

Steps

  • Open the AndroidManifest.xml file of your application.
  • Ensure that `android:debuggable` is not set to `true` in the `` tag.
  • Open the build.gradle file and verify that `debuggable false` is enforced for release builds.
  • Rebuild the application and confirm that the production APK does not have debugging enabled.

Compliant code

        <manifest ...>
    <application
        android:name=".MyApplication"
        android:label="@string/app_name"
        android:theme="@style/AppTheme">
    </application>
</manifest>

// Ensure proper configuration in build.gradle
android {
    buildTypes {
        release {
            debuggable false
        }
    }
}

        
        

This corrected AndroidManifest.xml configuration explicitly removes the android:debuggable attribute, relying on the build system to set it correctly.

By default, Android's release builds disable debugging, but to ensure no accidental misconfiguration occurs, it is recommended to verify that debuggable is not set to true manually.

Additionally, the Gradle build configuration should enforce this security setting by ensuring that debugging is only enabled in debug builds.

References