Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added CWE related guideline 264

 

 

 

This rule was developed in part by Stephanie Colton at and Aashirya Kaushik at the October 20-22, 2017 OurCS Workshop (http://www.cs.cmu.edu/ourcs/register.html).
For more information about this statement, see the About the OurCS Workshop page.

...

Code Block
bgColor#CCCCFF
android:debuggable="false"

Note that some development environments (including Eclipse/ADT and Ant) automatically set android:debuggable to true for incremental or debugging builds but set it to false for release builds.

Code Block
bgColor#CCCCFF
 <configuration>   
 <compilation debug="true"/> 
 </configuration>

Risk Assessment

Releasing an app with its android:debuggable attribute set to true can leak sensitive information. In addition, the app is vulnerable to decompilation, resulting in alteration to source code.Attackers can leverage the additional information they gain from debugging output to mount attacks targeted on the framework, database, or other resources used by the application.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

DRD10-J

High

Probable

Low

P18

L1

...

Automatic detection of the setting of the android:debuggable attribute is straightforward. It is not feasible to automatically determine whether any data that might be revealed by debugging the app is sensitive.

Bibliography

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

 CWE359: Exposure of Private Information
CWE264: Permissions, Privileges, and Access Controls

Bibliography

ASP.NET Misconfiguration: Creating Debug Binary http://www.ids-sax2.com/Knowledgebase/NetworkSecurity/Creating-Debug-Binary.htm[TBD] 

 

...