| This rule was developed in part by Stephanie Colton at the October 20-22, 2017 OurCS Workshop (http://www.cs.cmu.edu/ourcs/register.html). For more information about this statement, see the About the OurCS Workshop page. |
|---|
Android allows the attribute android:debuggable to be set to true in the manifest, so that the app can be debugged. By default this attribute is disabled, i.e., it is set to false, but it may be set to true to help with debugging during development of the app. However, an app should never be released with this attribute set to true as it enables users to gain access to details of the app that should be kept secure. With the attribute set to true, users can debug the app even without access to its source code.
...
Releasing an app with its android:debuggable attribute set to true can leak sensitive information. In addition, the app is vulnerable to decompilation, resulting in alteration to source code.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
DRD10-J | High | Probable | Low | P18 | L1 |
...