Details

    • Type: Language-Specification
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Impact:
      Unknown 'null' severity
    • Likelihood:
      Unknown 'null' severity
    • Default Quality Profiles:
      Sonar way
    • Analysis Level:
      Syntactic Analysis

      Description

      In the application manifest element of an android application, setting debuggable property to true could introduce a security risk.

      It's more easy to perform reverse engineering and inject arbitrary code in the context of a debuggable application.

      Ask Yourself Whether

      • the development of the app is completed and the debuggable property is set to true
      • the app will be published on the Play Store or distributed in any other ways and the debuggable property is set to true

      You are at risk if you answered yes to any of those questions.

      Recommended Secure Coding Practices

      • It is not recommended to release debuggable application. Avoid hardcoding the debug mode in the manifest because the build tool will add the property automatically and assign the correct value depending on the build type.

      Sensitive Code Example

      In AndroidManifest.xml:

      <application
        android:icon="@mipmap/ic_launcher"
        android:label="@string/app_name"
        android:roundIcon="@mipmap/ic_launcher_round"
        android:supportsRtl="true"
        android:debuggable="true"
        android:theme="@style/AppTheme">
      </application>  <!-- Sensitive --> 
      

      Compliant Solution

      <application
        android:icon="@mipmap/ic_launcher"
        android:label="@string/app_name"
        android:roundIcon="@mipmap/ic_launcher_round"
        android:supportsRtl="true"
        android:debuggable="false"
        android:theme="@style/AppTheme">
      </application> <!-- Compliant --> 
      

      See

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              eric.therond Eric Therond
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: