8

I've just come upon several .apk files hosted with Github projects which are "compiled for debug" (i.e. having application-debuggable set, which one can e.g. check using aapt dump badging /path/to/apk | grep debuggable. Not being an Android dev, I only have vague ideas what that is for (extended debugging via ADB) – but that's not the question here.

My question is from a pure end-user perspective: What are the (security) implications of installing/using such an app? What are the risks one must be aware of?

Of course I searched the web for hints on this, but again only got vague hints like "thou shalt not", and "for a release this should be switched off" – no reasons, no background. For that one could think "obviously no big deal" – but notes like Do spend some time thinking about the security implications for your users in this context (see this answer at SO) suggest differently.

Can anyone here provide some insights?

Community
  • 1
Izzy
  • 91,536
  • 76
  • 351
  • 968

2 Answers2

5

There aren't really any innate problems with running a debug app. If someone grabs your unlocked phone, enables Developer Mode, and starts debugging they might be able to grab sensitive information from the app's memory slightly more easily — but that's not particularly realistic and easily countered with a lock screen.

Debug information will also make it harder to make use of security through obscurity, which we all know is not real security. This obviously isn't even a factor when it comes to open-source apps, since they can simply inspect the source to find a flaw.

However, the specifics of what code paths you've added for debugging can definitely be security holes. Maybe for testing and verification purposes, the debug version writes the user's password out to logcat when they sign in, for example. There is a great deal of PII that could be exposed this way.

For an end user, all that you know is that it's probably more likely for an arbitrary app to leak information if it's a debug version. Unless you are searching for it yourself, you're not likely to see it. That's probably enough reason to avoid such apps — doubly so since a developer who doesn't know the difference between Release and Debug versions is probably not protecting your data very competently either.

Dan Hulme also made a good point in chat: A debug version probably won't be properly signed, meaning that it could be "upgraded" from a malicious source. I would again presume this to be an unlikely occurrence, but it is another point against it.

Matthew Read
  • 50,777
  • 30
  • 148
  • 275
0

With Android 12, a ew aspect is added to this: adb backup no longer includes app data by default, unless the app was built "for debug". So actually, if your device is not rooted and you rely on adb backup for your backups (e.g. if you do not use Google's cloud backup, and your ROM has no support for Seedvault¹ built in), you might actually wish this to be set.

¹ Seedvault comes included e.g. with LineageOS since Android 10, and also with some other custom ROMs

Izzy
  • 91,536
  • 76
  • 351
  • 968