Android

Space shortcuts

Page tree

Versions Compared

Old Version 6

changes.mady.by.user Unknown User (lflynn)

Saved on

compared with

New Version Current

changes.mady.by.user Stephanie Colton

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added CWE related guideline 264
This rule was developed in part by Stephanie Colton and Aashirya Kaushik at the October 20-22, 2017 OurCS Workshop (http://www.cs.cmu.edu/ourcs/register.html).
For more information about this statement, see the About the OurCS Workshop page.


Android allows the attribute android:debuggable to be set to true in the manifest, so that the app can be debugged.  By default this attribute is disabled, i.e., it is set to false, but it may be set to true to help with debugging during development of the app.  However, an app should never be released with this attribute set to true as it enables users to gain access to details of the app that should be kept secure.  With the attribute set to true, users can debug the app even without access to its source code.

...

Code Block
bgColor#CCCCFF
android:debuggable="false"

Note that some development environments (including Eclipse/ADT and Ant) automatically set android:debuggable to true for incremental or debugging builds but set it to false for release builds.

Code Block
bgColor#CCCCFF
 <configuration>   
 <compilation debug="true"/> 
 </configuration>

Risk Assessment

Releasing an app with its android:debuggable attribute set to true can leak sensitive information. In addition, the app is vulnerable to decompilation, resulting in alteration to source code.Attackers can leverage the additional information they gain from debugging output to mount attacks targeted on the framework, database, or other resources used by the application.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

DRD10-J

High

Probable

Low

P18

L1

...

Automatic detection of the setting of the android:debuggable attribute is straightforward. It is not feasible to automatically determine whether any data that might be revealed by debugging the app is sensitive.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

 CWE359: Exposure of Private Information
CWE

Bibliography

264: Permissions, Privileges, and Access Controls

Bibliography

ASP.NET Misconfiguration: Creating Debug Binary http://www.ids-sax2.com/Knowledgebase/NetworkSecurity/Creating-Debug-Binary.htm[TBD] 

 

...