android:debuggable
使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
OWASP 类别:MASVS-PLATFORM:平台互动
概览
android:debuggable
属性用于设置应用是否可调试。它为整个应用进行设置,不能被个别组件替换。此属性默认设为 false
。
如果允许应用可调试,这本身不是漏洞,但这样做意味着允许用户在未经授权的情况下使用管理功能,从而导致应用面临更大的风险。这样一来,攻击者可能会比预期更容易访问该应用及其所用的资源。
影响
如果您将 android:debuggable
标志设置为 true,攻击者就能够调试该应用,而这会使他们更容易访问应用中的“安全重地”。
缓解措施
交付应用时,请务必将 android:debuggable
标志设置为 false
。
为您推荐
本页面上的内容和代码示例受内容许可部分所述许可的限制。Java 和 OpenJDK 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2023-12-13。
[null,null,["最后更新时间 (UTC):2023-12-13。"],[],[],null,["# android:debuggable\n\n\u003cbr /\u003e\n\n**OWASP category:** [MASVS-PLATFORM: Platform Interaction](https://mas.owasp.org/MASVS/09-MASVS-PLATFORM)\n\nOverview\n--------\n\nThe `android:debuggable` [attribute](/guide/topics/manifest/application-element) sets whether the application is\ndebuggable. It is set for the application as a whole and can't be overridden by\nindividual components. The attribute is set to `false` by default.\n\nAllowing the application to be debuggable in itself is not a vulnerability, but\nit does expose the application to greater risk through unintended and\nunauthorized access to administrative functions. This can allow attackers more\naccess to the application and resources used by the application than intended.\n\nImpact\n------\n\nSetting the android:debuggable flag to true enables an attacker to debug the\napplication, making it easier for them to gain access to parts of the\napplication that should be kept secure.\n\nMitigations\n-----------\n\nAlways make sure to set the `android:debuggable` flag to `false` when shipping\nyour application."]]