MASTG-TEST-0226: Debuggable Flag Enabled in the AndroidManifest
Content in BETA
This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).
Overview¶
This test case checks if the app has the debuggable flag (android:debuggable) set to true in the AndroidManifest.xml. When this flag is enabled, it allows the app to be debugged enabling attackers to inspect the app’s internals, bypass security controls, or manipulate runtime behavior.
Although having the debuggable flag set to true is not considered a direct vulnerability, it significantly increases the attack surface by providing unauthorized access to app data and resources, particularly in production environments.
Steps¶
- Obtain the
AndroidManifest.xmlfile using Obtaining Information from the AndroidManifest. - Search for the
debuggableflag:
Observation¶
The output should explicitly show whether the debuggable flag is set (true or false). If the flag is not specified, it is treated as false by default for release builds.
Evaluation¶
The test case fails if the debuggable flag is explicitly set to true. This indicates that the app is configured to allow debugging, which is inappropriate for production environments.
To mitigate this issue, ensure the debuggable flag in the AndroidManifest.xml is set to false for all release builds.
Note: Disabling debugging via the debuggable flag is an important first step but does not fully protect the app from advanced attacks. Skilled attackers can enable debugging through various means, such as binary patching (see Patching) to allow attachment of a debugger or the use of binary instrumentation tools like Frida for Android to achieve similar capabilities. For apps requiring a higher level of security, consider implementing anti-debugging techniques as an additional layer of defense. Refer to Debugger Detection Not Implemented for detailed guidance.