...
Note that some development environments (including Eclipse/ADT and Ant) automatically set android:debuggable to true for incremental or debugging builds but set it to false for release builds.
| Code Block | ||
|---|---|---|
| ||
|
<configuration>
<compilation debug="true"/>
</configuration> |
Risk Assessment
Releasing an app with its android:debuggable attribute set to true can leak sensitive information. In addition, the app is vulnerable to decompilation, resulting in alteration to source code.Attackers can leverage the additional information they gain from debugging output to mount attacks targeted on the framework, database, or other resources used by the application.
...
Automatic detection of the setting of the android:debuggable attribute is straightforward. It is not feasible to automatically determine whether any data that might be revealed by debugging the app is sensitive.
Related Vulnerabilities
...
In the URL example above, <RULE_ID> should be substituted by this CERT guideline ID (e.g., INT31-C). Then, remove this purple-font paragraph.
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Fill in the table below with at least one entry row, per these instructions, then remove this purple-font section.
| CWE | 359: Exposure of Private Information | ||
| CWE | 264: Permissions, Privileges, and Access Controls | TBD (e.g., MITRE CWE) |
Bibliography
| ASP.NET Misconfiguration: Creating Debug Binary | http://www.ids-sax2.com/Knowledgebase/NetworkSecurity/Creating-Debug-Binary.htm |
...