PTKDMobile App Security
Knowledge base / PTKD-CFG-DEBUGGABLE
high M8 MASVS-RESILIENCE-4 static analysis PTKD-CFG-DEBUGGABLE

Application is debuggable

android:debuggable="true" ships a debuggable build, letting an attacker attach a debugger and read memory.

How it's exploited

With android:debuggable="true", anyone with physical or ADB access attaches a debugger to the production app: dump memory, call internal methods, and lift tokens from the heap. run-as also opens the app's private data dir.

Why it matters

Device-level attackers and malware-assisted users can read secrets and drive the app; Play flags it too.

How to fix it

  1. Never set debuggable in the manifest; release builds get it false automatically unless overridden.
  2. Check your Gradle buildTypes and any manifest-merger overrides from SDKs.

References