MASTG-DEMO-0040: Debuggable Flag Enabled in the AndroidManifest with semgrep

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Download MASTG-DEMO-0040 APK Open MASTG-DEMO-0040 Folder Build MASTG-DEMO-0040 APK

Sample

The code snippet below shows a sample manifest file with the debuggable flag enabled.

AndroidManifest.xmlAndroidManifest_reversed.xml

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    xmlns:tools="http://schemas.android.com/tools">

    <uses-permission android:name="android.permission.INTERNET" />

    <application
        android:allowBackup="true"
        android:debuggable="true"
        android:dataExtractionRules="@xml/data_extraction_rules"
        android:fullBackupContent="@xml/backup_rules"
        android:icon="@mipmap/ic_launcher"
        android:label="@string/app_name"
        android:roundIcon="@mipmap/ic_launcher_round"
        android:supportsRtl="true"
        android:theme="@style/Theme.MASTestApp"
        tools:targetApi="31">
        <activity
            android:name=".MainActivity"
            android:exported="true"
            android:theme="@style/Theme.MASTestApp">
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />

                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
    </application>

</manifest>

<?xml version="1.0" encoding="utf-8" standalone="no"?><manifest xmlns:android="http://schemas.android.com/apk/res/android" android:compileSdkVersion="35" android:compileSdkVersionCodename="15" package="org.owasp.mastestapp" platformBuildVersionCode="35" platformBuildVersionName="15">
    <uses-permission android:name="android.permission.INTERNET"/>
    <permission android:name="org.owasp.mastestapp.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION" android:protectionLevel="signature"/>
    <uses-permission android:name="org.owasp.mastestapp.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION"/>
    <application android:allowBackup="true" android:appComponentFactory="androidx.core.app.CoreComponentFactory" android:dataExtractionRules="@xml/data_extraction_rules" android:debuggable="true" android:extractNativeLibs="false" android:fullBackupContent="@xml/backup_rules" android:icon="@mipmap/ic_launcher" android:label="@string/app_name" android:roundIcon="@mipmap/ic_launcher_round" android:supportsRtl="true" android:theme="@style/Theme.MASTestApp">
        <activity android:exported="true" android:name="org.owasp.mastestapp.MainActivity" android:theme="@style/Theme.MASTestApp">
            <intent-filter>
                <action android:name="android.intent.action.MAIN"/>
                <category android:name="android.intent.category.LAUNCHER"/>
            </intent-filter>
        </activity>
        <activity android:exported="true" android:name="androidx.compose.ui.tooling.PreviewActivity"/>
        <activity android:exported="true" android:name="androidx.activity.ComponentActivity"/>
        <provider android:authorities="org.owasp.mastestapp.androidx-startup" android:exported="false" android:name="androidx.startup.InitializationProvider">
            <meta-data android:name="androidx.emoji2.text.EmojiCompatInitializer" android:value="androidx.startup"/>
            <meta-data android:name="androidx.lifecycle.ProcessLifecycleInitializer" android:value="androidx.startup"/>
            <meta-data android:name="androidx.profileinstaller.ProfileInstallerInitializer" android:value="androidx.startup"/>
        </provider>
        <receiver android:directBootAware="false" android:enabled="true" android:exported="true" android:name="androidx.profileinstaller.ProfileInstallReceiver" android:permission="android.permission.DUMP">
            <intent-filter>
                <action android:name="androidx.profileinstaller.action.INSTALL_PROFILE"/>
            </intent-filter>
            <intent-filter>
                <action android:name="androidx.profileinstaller.action.SKIP_FILE"/>
            </intent-filter>
            <intent-filter>
                <action android:name="androidx.profileinstaller.action.SAVE_PROFILE"/>
            </intent-filter>
            <intent-filter>
                <action android:name="androidx.profileinstaller.action.BENCHMARK_OPERATION"/>
            </intent-filter>
        </receiver>
    </application>
</manifest>

Steps

Let's run our semgrep rule against the manifest file.

rules:
  - id: mastg-android-debuggable-flag
    severity: WARNING
    languages:
      - xml
    metadata:
      summary: This rule inspects the AndroidManifest.xml for the debuggable flag.
    message: "[MASVS-RESILIENCE-4] debuggable detected as $ARG."
    patterns:
      - pattern: 'android:debuggable="$ARG"

NO_COLOR=true semgrep -c ../../../../rules/mastg-android-debuggable-flag.yml ./AndroidManifest_reversed.xml > output.txt

Observation

The rule has identified the android:debuggable attribute in the AndroidManifest.

┌────────────────┐
│ 1 Code Finding │
└────────────────┘

    AndroidManifest_reversed.xml
    ❯❱ mastg-android-debuggable-flag
          [MASVS-RESILIENCE-4] debuggable detected as true.

            5┆ <application android:allowBackup="true"                                           
               android:appComponentFactory="androidx.core.app.CoreComponentFactory"              
               android:dataExtractionRules="@xml/data_extraction_rules" android:debuggable="true"
               android:extractNativeLibs="false" android:fullBackupContent="@xml/backup_rules"   
               android:icon="@mipmap/ic_launcher" android:label="@string/app_name"               
               android:roundIcon="@mipmap/ic_launcher_round" android:supportsRtl="true"          
               android:theme="@style/Theme.MASTestApp">                                                                           

Evaluation

The test case fails because the android:debuggable attribute is explicitly set to true.