Insecure settings in AndroidManifest.xml

  HIGH  
Detection method   SAST         APK  

Description

An Android application that has been built with an enabled debug mode (flag android:debuggable = True in AndroidManifest.xml) can provide a malicious person with access to confidential information, with possibility to control the application's run and to execute code in the application's context.

Example of the vulnerable code (AndroidManifest.xml)

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
        package="com.mobix.android.activity.privateactivity" >
        <application
                <!-- *** Enabling the debug mode *** -->
                android:debuggable="true"
                android:icon="@drawable/ic_launcher"
                android:label="@string/app_name" >
                <activity
                        android:name=".PrivateActivity"
                        android:label="@string/app_name"
                        android:exported="false" />
        </application>
</manifest>

Recommendations

While building a release version of an application, ensure that the debug mode is disabled. You can disable the debug mode by deleting the android: debuggable attribute from an <application> tag in the manifest file, or by setting the false value for the android: debuggable attribute in the manifest.

Example of the secure code

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
        package="com.mobix.android.activity.privateactivity" >
        <application
                <!-- *** Disabling the debug mode *** -->
                android:debuggable="false"
                android:icon="@drawable/ic_launcher"
                android:label="@string/app_name" >
                <activity
                        android:name=".PrivateActivity"
                        android:label="@string/app_name"
                        android:exported="false" />
        </application>
</manifest>

 

Also, it is possible to set up the debug mode for different builds using specific configurations in the build.gradle file:

 

android {
        defaultConfig {
                ...
                ...
        }
        buildTypes {
                release {
                        // *** Disabling the debug mode for the release build of an application *** //
                        debuggable false
                        minifyEnabled true
                        proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
        }
        debug {
                applicationIdSuffix ".debug"
                // *** Enabling the debug mode for development purposes *** //
                debuggable true
        }

Links

  1. https://developer.android.com/studio/build/build-variants#build-types
  2. https://developer.android.com/studio/publish/preparing#publishing-configure
  3. https://resources.infosecinstitute.com/android-hacking-security-part-6-exploiting-debuggable-android-applications/
  4. https://securitygrind.com/how-to-exploit-a-debuggable-android-application/
  5. https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05i-Testing-Code-Quality-and-Build-Settings.md