Posts

Showing posts from December, 2014

Insecure configuration: Debug and Backup enabled in Android apps

Image
It's a very trivial mistake a lot of developers do. They don't pay much attention to this simple looking misconfigurations which can be a big risk to apps. Generally they put much attention on other best practices such as intents, permissions etc, but tend to ignore the debuggable and allowbackup settings. I came across various such mistakes.



The app is debuggable, which means we can attach a debugger to the process and step through every single instruction and even execute arbitrary code in the context of app process.
Similarly, allowbackup is used to determine if to allow the application to participate in the backup and restore infrastructure. This leads to potential data leakage.

If not required, harden the configuration file by setting the values= “False”

Reference: developer.android.com/guide/topics/manifest/application-element.html