Android Studio

android:debuggable

OWASP category: V1: Architecture, Design and Threat Modeling

Overview

The android:debuggable attribute sets whether the app is debuggable. It's set for the app as a whole and can't be overridden by individual components. The attribute is set to false by default.

It's not a vulnerability if you allow your app to be debuggable, but it exposes your app to greater risk through unintended and unauthorized access to administrative functions. This can allow attackers more access to your app and the resources that it uses, likely more than intended.

Impact

When you set the android:debuggable flag to true, an attacker can debug your app, making it easier for them to gain access to parts of your app that should be kept secure.

Mitigations

Always set the android:debuggable flag to false when publishing your app.

Content and code samples on this page are subject to the licenses described in the Content License. Java and OpenJDK are trademarks or registered trademarks of Oracle and/or its affiliates.

Last updated 2023-03-15 UTC.