Risks of Allowing App Debugging Post Release
Android phones have a setting named USB debugging. If enabled, the computer with whom the device connects by USB can communicate with installed apps. For this option to work, a property called ‘android: debugging’ must be set to ‘true’ while developing an application. Setting the value to true allows developers and testers to test the application and identify flaws. However, if the property is left enabled when releasing, attackers may use it to harm the app. Let’s have an example to understand the scenario better.
An android phone has an application installed. The app’s ‘android: debugging’ property is set to ‘true’. USB debugging is enabled on the device. The device falls into the wrong hands. The attacker connects it with a computer that has tools for manipulating mobile applications. The attacker incorporates malicious functionality in the app. That incident onwards, whenever the application runs, it captures user data and sends it to the attacker.
The solution is to set the application’s ‘android: debugging’ property to false when releasing. This way it is ensured that an attacker cannot harm the application.