This rule was developed in part by Stephanie Colton and Aashirya Kaushik at the October 20-22, 2017 OurCS Workshop (http://www.cs.cmu.edu/ourcs/register.html). For more information about this statement, see the About the OurCS Workshop page. |
---|
Android allows the attribute android:debuggable
to be set to true
in the manifest, so that the app can be debugged. By default this attribute is disabled, i.e., it is set to false
, but it may be set to true
to help with debugging during development of the app. However, an app should never be released with this attribute set to true
as it enables users to gain access to details of the app that should be kept secure. With the attribute set to true
, users can debug the app even without access to its source code.
Noncompliant Code Example
This noncompliant code example shows an app that has the android:debuggable
attribute set to true
being accessed to reveal sensitive data.
$ adb shell shell@android:/ $ run-as com.example.someapp sh shell@android:/data/data/com.example.someapp $ id uid=10060(app_60) gid=10060(app_60) shell@android:/data/data/com.example.someapp $ ls files/ secret_data.txt shell@android:/data/data/com.example.some $ cat files/secret_data.txt password=GoogolPlex account_number=31974286
Clearly, with the android:debuggable
attribute set to true
, sensitive date related to the app can be revealed to any user.
Compliant Solution
Ensure that the android:debuggable
attribute is set to false
before the app is released:
android:debuggable="false"
Note that some development environments (including Eclipse/ADT and Ant) automatically set android:debuggable
to true
for incremental or debugging builds but set it to false
for release builds.
Risk Assessment
Releasing an app with its android:debuggable
attribute set to true
can leak sensitive information. In addition, the app is vulnerable to decompilation, resulting in alteration to source code.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
DRD10-J | High | Probable | Low | P18 | L1 |
Automated Detection
Automatic detection of the setting of the android:debuggable
attribute is straightforward. It is not feasible to automatically determine whether any data that might be revealed by debugging the app is sensitive.
Related Vulnerabilities
Hyperlink black-font text "the CERT website" below, with URL as follows: https://www.kb.cert.org/vulnotes/bymetric?searchview&query=FIELD+KEYWORDS+contains+<RULE_ID>
In the URL example above, <RULE_ID> should be substituted by this CERT guideline ID (e.g., INT31-C). Then, remove this purple-font paragraph.
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Fill in the table below with at least one entry row, per these instructions, then remove this purple-font section.
TBD (e.g., MITRE CWE) |
Bibliography
[TBD] |