MASTG-TEST-0226: Debuggable Flag Enabled in the AndroidManifest

Overview

This test case checks if the app has the debuggable flag (android:debuggable) set to true in the AndroidManifest.xml. When this flag is enabled, it allows the app to be debugged enabling attackers to inspect the app's internals, bypass security controls, or manipulate runtime behavior.

Although having the debuggable flag set to true is not considered a direct vulnerability, it significantly increases the attack surface by providing unauthorized access to app data and resources, particularly in production environments.

Steps

1. Use Obtaining Information from the AndroidManifest to obtain the AndroidManifest.xml.
2. Use Analyzing the AndroidManifest to obtain the debuggable flag.

Observation

The output should explicitly show whether the debuggable flag is set (true or false). If the flag is not specified, it is treated as false by default for release builds.

Evaluation

The test case fails if the debuggable flag is explicitly set to true. This indicates that the app is configured to allow debugging, which is inappropriate for production environments.

Best Practices

MASTG-BEST-0007: Debuggable Flag Disabled in the AndroidManifest

Demos

MASTG-DEMO-0040: Debuggable Flag Enabled in the AndroidManifest with semgrep