The application was compiled with the debuggable flag enabled. If the application has the debuggable flag enabled, it is possible to attach a debugger to the application's process and execute arbitrary code. The default value is "false" if the debuggable flag is not set. Apps with debugging enabled will expose runtime data to attackers, simplifying the effort needed to exploit users, allowing them to ingest sensitive data and inject malicious activities into runtime. An attacker requires charging port access to perform this exploit. This vulnerability can effect the user's sensitive actions within the app, along with the app's runtime controls and processes. In certain frameworks, this flag can disable security controls creating other vulnerabilities such as man-in-the-middle attacks.
Steps to Reproduce
Determine whether the application was compiled with the debuggable flag enabled in the Android manifest.
Business Impact
This app did not disable a common development tool which is used to test the application before production. This makes it easier for attackers to tell how an app functions which can potentially uncover valuable information on how to obtain sensitive information from the app.
Remediation Resources
Recommended Fix
Android applications should have <code>android:debuggable="false"</code> set in the application manifest to prevent easy run time manipulation by an attacker or malware. Alternatively, avoid setting this flag at all since the default value set by Android is "false".
An app can use a system call that tells the operating system to not permit a debugger to attach to the process. By preventing a debugger from attaching, the capabilities of an attacker to interfere with the low-level runtime are limited. An attacker must first circumvent the debugging restrictions in order to attack the application on a low level which adds further complexity to a would-be attack.
It should be noted that this feature can prevent successful app publication to the Google Play Store.
Finding Description
The application was compiled with the
debuggable
flag enabled. If the application has thedebuggable
flag enabled, it is possible to attach a debugger to the application's process and execute arbitrary code. The default value is "false" if thedebuggable
flag is not set. Apps with debugging enabled will expose runtime data to attackers, simplifying the effort needed to exploit users, allowing them to ingest sensitive data and inject malicious activities into runtime. An attacker requires charging port access to perform this exploit. This vulnerability can effect the user's sensitive actions within the app, along with the app's runtime controls and processes. In certain frameworks, this flag can disable security controls creating other vulnerabilities such as man-in-the-middle attacks.Steps to Reproduce
Determine whether the application was compiled with the
debuggable
flag enabled in the Android manifest.Business Impact
This app did not disable a common development tool which is used to test the application before production. This makes it easier for attackers to tell how an app functions which can potentially uncover valuable information on how to obtain sensitive information from the app.
Remediation Resources
Recommended Fix
Android applications should have
<code>android:debuggable="false"</code>
set in the application manifest to prevent easy run time manipulation by an attacker or malware. Alternatively, avoid setting this flag at all since the default value set by Android is "false".An app can use a system call that tells the operating system to not permit a debugger to attach to the process. By preventing a debugger from attaching, the capabilities of an attacker to interfere with the low-level runtime are limited. An attacker must first circumvent the debugging restrictions in order to attack the application on a low level which adds further complexity to a would-be attack.
It should be noted that this feature can prevent successful app publication to the Google Play Store.
Code Samples
Bad Code Sample (.xml)
Good Code Sample (.xml)
Additional Guidance
Risk and Regulatory Information
Severity: medium CVSS: 4.4
Application
See more detail in the NowSecure Report