MASTG-DEMO-0040: Debuggable Flag Enabled in the AndroidManifest with semgrep

Download MASTG-DEMO-0040 APK Open MASTG-DEMO-0040 Folder Build MASTG-DEMO-0040 APK

Sample

The code snippet below shows a sample manifest file with the debuggable flag enabled.

AndroidManifest.xmlAndroidManifest_reversed.xml

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    xmlns:tools="http://schemas.android.com/tools">

    <uses-permission android:name="android.permission.INTERNET" />

    <application
        android:allowBackup="true"
        android:debuggable="true"
        android:dataExtractionRules="@xml/data_extraction_rules"
        android:fullBackupContent="@xml/backup_rules"
        android:icon="@mipmap/ic_launcher"
        android:label="@string/app_name"
        android:roundIcon="@mipmap/ic_launcher_round"
        android:supportsRtl="true"
        android:theme="@style/Theme.MASTestApp"
        tools:targetApi="31">
        <activity
            android:name=".MainActivity"
            android:exported="true"
            android:theme="@style/Theme.MASTestApp">
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />

                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
    </application>

</manifest>

<?xml version="1.0" encoding="utf-8" standalone="no"?><manifest xmlns:android="http://schemas.android.com/apk/res/android" android:compileSdkVersion="35" android:compileSdkVersionCodename="15" package="org.owasp.mastestapp" platformBuildVersionCode="35" platformBuildVersionName="15">
    <uses-permission android:name="android.permission.INTERNET"/>
    <permission android:name="org.owasp.mastestapp.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION" android:protectionLevel="signature"/>
    <uses-permission android:name="org.owasp.mastestapp.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION"/>
    <application android:allowBackup="true" android:appComponentFactory="androidx.core.app.CoreComponentFactory" android:dataExtractionRules="@xml/data_extraction_rules" android:debuggable="true" android:extractNativeLibs="false" android:fullBackupContent="@xml/backup_rules" android:icon="@mipmap/ic_launcher" android:label="@string/app_name" android:roundIcon="@mipmap/ic_launcher_round" android:supportsRtl="true" android:theme="@style/Theme.MASTestApp">
        <activity android:exported="true" android:name="org.owasp.mastestapp.MainActivity" android:theme="@style/Theme.MASTestApp">
            <intent-filter>
                <action android:name="android.intent.action.MAIN"/>
                <category android:name="android.intent.category.LAUNCHER"/>
            </intent-filter>
        </activity>
        <activity android:exported="true" android:name="androidx.compose.ui.tooling.PreviewActivity"/>
        <activity android:exported="true" android:name="androidx.activity.ComponentActivity"/>
        <provider android:authorities="org.owasp.mastestapp.androidx-startup" android:exported="false" android:name="androidx.startup.InitializationProvider">
            <meta-data android:name="androidx.emoji2.text.EmojiCompatInitializer" android:value="androidx.startup"/>
            <meta-data android:name="androidx.lifecycle.ProcessLifecycleInitializer" android:value="androidx.startup"/>
            <meta-data android:name="androidx.profileinstaller.ProfileInstallerInitializer" android:value="androidx.startup"/>
        </provider>
        <receiver android:directBootAware="false" android:enabled="true" android:exported="true" android:name="androidx.profileinstaller.ProfileInstallReceiver" android:permission="android.permission.DUMP">
            <intent-filter>
                <action android:name="androidx.profileinstaller.action.INSTALL_PROFILE"/>
            </intent-filter>
            <intent-filter>
                <action android:name="androidx.profileinstaller.action.SKIP_FILE"/>
            </intent-filter>
            <intent-filter>
                <action android:name="androidx.profileinstaller.action.SAVE_PROFILE"/>
            </intent-filter>
            <intent-filter>
                <action android:name="androidx.profileinstaller.action.BENCHMARK_OPERATION"/>
            </intent-filter>
        </receiver>
    </application>
</manifest>

Steps

Let's run our semgrep rule against the manifest file.

rules:
  - id: mastg-android-debuggable-flag
    severity: WARNING
    languages:
      - xml
    metadata:
      summary: This rule inspects the AndroidManifest.xml for the debuggable flag.
    message: "[MASVS-RESILIENCE-4] debuggable detected as $ARG."
    patterns:
      - pattern: 'android:debuggable="$ARG"

NO_COLOR=true semgrep -c ../../../../rules/mastg-android-debuggable-flag.yml ./AndroidManifest_reversed.xml > output.txt

Observation

The rule has identified the android:debuggable attribute in the AndroidManifest.

┌────────────────┐
│ 1 Code Finding │
└────────────────┘

    AndroidManifest_reversed.xml
    ❯❱ mastg-android-debuggable-flag
          [MASVS-RESILIENCE-4] debuggable detected as true.

            5┆ <application android:allowBackup="true"                                           
               android:appComponentFactory="androidx.core.app.CoreComponentFactory"              
               android:dataExtractionRules="@xml/data_extraction_rules" android:debuggable="true"
               android:extractNativeLibs="false" android:fullBackupContent="@xml/backup_rules"   
               android:icon="@mipmap/ic_launcher" android:label="@string/app_name"               
               android:roundIcon="@mipmap/ic_launcher_round" android:supportsRtl="true"          
               android:theme="@style/Theme.MASTestApp">                                                                           

Evaluation

The test case fails because the android:debuggable attribute is explicitly set to true.