Skip to content

MASTG-TEST-0040: Testing for Debugging Symbols

This test will be updated soon

The test can be used in its current form, but it will receive a complete overhaul as part of the new OWASP MASTG v2 guidelines.

Help us out by submitting a PR for: MASTG v1->v2 MASTG-TEST-0040: Testing for Debugging Symbols (android)

Send Feedback

Overview

Static Analysis

Symbols are usually stripped during the build process, so you need the compiled bytecode and libraries to make sure that unnecessary metadata has been discarded.

First, find the nm binary in your Android NDK and export it (or create an alias).

export NM = $ANDROID_NDK_DIR/toolchains/arm-linux-androideabi-4.9/prebuilt/darwin-x86_64/bin/arm-linux-androideabi-nm

To display debug symbols:

$NM -a libfoo.so
/tmp/toolchains/arm-linux-androideabi-4.9/prebuilt/darwin-x86_64/bin/arm-linux-androideabi-nm: libfoo.so: no symbols

To display dynamic symbols:

$NM -D libfoo.so

Alternatively, open the file in your favorite disassembler and check the symbol tables manually.

Dynamic symbols can be stripped via the visibility compiler flag. Adding this flag causes gcc to discard the function names while preserving the names of functions declared as JNIEXPORT.

Make sure that the following has been added to build.gradle:

externalNativeBuild {
    cmake {
        cppFlags "-fvisibility=hidden"
    }
}

Dynamic Analysis

Static analysis should be used to verify debugging symbols.