3

I have heard that an Android APK can be debugged if android:debuggable="true" is set. What are the possible threats in allowing an app to be debugged?

RoraΖ
  • 12,317
  • 4
  • 51
  • 83
Anandu M Das
  • 1,981
  • 14
  • 31
  • 46

2 Answers2

4

Shipping application with debug means that anyone with physical access to the device can execute arbitrary code under that application's permission. If the application holds sensitive data, it will be fairly straightforward to extract that sensitive data from the application. Doing the same on nondebuggable application would require the attacker to first obtain root privilege or find an exploit in the application itself.

Shipping without debug shouldn't be considered as a protection against the user themselves though. The legitimate user of a device have all the time they need to root their own device, and so can gain any secret stored by any applications running in their device with or without debuggable application.

Lie Ryan
  • 31,089
  • 6
  • 68
  • 93
1

This could be an attempt in protection of application against the device owner.

It may allow you to extract sensitive data (ie. some banking app token), or to elevate execution privileges, if that app has system UID for example.

How?

By using connecting the debugger to application over adb, you can trace the code and execute other code. You can also use run-as in adb shell, to change UID to UID of the app in question.

domen
  • 1,040
  • 10
  • 21
  • I don't understand anything. Sorry. How is this possible? – Anandu M Das Dec 04 '14 at 10:05
  • Well, you asked what, not how :P Edited to add "how" section. – domen Dec 04 '14 at 10:29
  • as mentioned here : https://labs.mwrinfosecurity.com/blog/2011/07/07/debuggable-apps-in-android-market/ – Hacketo Dec 04 '14 at 10:33
  • This isn't a security setting; it provides no strong guarantee that the device owner cannot extract secrets. For example, anyone with root access can debug any application. A device owner has only to root the device to extract any secrets your app contains. In general, you cannot protect secrets from someone with physical access and sufficient time. – Chris Murray Dec 04 '14 at 12:01
  • True, but do keep in mind that debuggable system app, will pretty much get someway halfway to root, since system UID code execution is trivial to get then. – domen Dec 04 '14 at 12:37