android:debuggable

Stay organized with collections Save and categorize content based on your preferences.

OWASP category: V1: Architecture, Design and Threat Modeling

Overview

The android:debuggable attribute sets whether the app is debuggable. It's set for the app as a whole and can't be overridden by individual components. The attribute is set to false by default.

It's not a vulnerability if you allow your app to be debuggable, but it exposes your app to greater risk through unintended and unauthorized access to administrative functions. This can allow attackers more access to your app and the resources that it uses, likely more than intended.

Impact

When you set the android:debuggable flag to true, an attacker can debug your app, making it easier for them to gain access to parts of your app that should be kept secure.

Mitigations

Always set the android:debuggable flag to false when publishing your app.