Skip to content

MASTG-TEST-0226: Debuggable Flag Enabled in the AndroidManifest

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Overview

This test case checks if the app has the debuggable flag (android:debuggable) set to true in the AndroidManifest.xml. When this flag is enabled, it allows the app to be debugged enabling attackers to inspect the app’s internals, bypass security controls, or manipulate runtime behavior.

Although having the debuggable flag set to true is not considered a direct vulnerability, it significantly increases the attack surface by providing unauthorized access to app data and resources, particularly in production environments.

Steps

  1. Obtain the AndroidManifest.xml file using Obtaining Information from the AndroidManifest.
  2. Search for the debuggable flag:
    • Look for android:debuggable if analyzing raw XML using tools like Apktool.
    • Look for application-debuggable if using aapt2.

Observation

The output should explicitly show whether the debuggable flag is set (true or false). If the flag is not specified, it is treated as false by default for release builds.

Evaluation

The test case fails if the debuggable flag is explicitly set to true. This indicates that the app is configured to allow debugging, which is inappropriate for production environments.

Mitigations