OWASP category: V1: Architecture, Design and Threat Modeling
Overview
The android:debuggable
attribute
sets whether the app is debuggable. It's set for the app as a whole and can't be
overridden by individual components. The attribute is set to false
by default.
It's not a vulnerability if you allow your app to be debuggable, but it exposes your app to greater risk through unintended and unauthorized access to administrative functions. This can allow attackers more access to your app and the resources that it uses, likely more than intended.
Impact
When you set the android:debuggable
flag to true
, an attacker can debug your
app, making it easier for them to gain access to parts of your app that should be
kept secure.
Mitigations
Always set the android:debuggable
flag to false
when publishing your app.