• 6

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191


File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

The golden rule is to set debuggable option to off prior to releasing your Android application to the public.

What would happen if I leave (forget to turn off) this option on? I mean, how would it manifest to a user?

I tested and saw no difference.

how would it manifest to a user?

A normal user won't notice the difference.

By the way:

Support for a true debug build. Developers no longer need to add the android:debuggable attribute to the tag in the manifest — the build tools add the attribute automatically. In Eclipse/ADT, all incremental builds are assumed to be debug builds, so the tools insert android:debuggable="true". When exporting a signed release build, the tools do not add the attribute. In Ant, a ant debug command automatically inserts the android:debuggable="true" attribute, while ant release does not. If android:debuggable="true" is manually set, then ant release will actually do a debug build, rather than a release build.

  • 75
Reply Report
      • 2
    • Are you saying that as of SDK 8.0.1 I do not need to set debuggable on/off but Eclipse plug-in will rather do it automatically?
      • 2
    • Yes. Eclipse uses the android build tools in the background; thus, you won't have to explicitly add the android:debuggable attribute; also when you use the Eclipse's plugin to generate the production APK, it will remove the attribute for you.
      • 1
    • How can I see if an app I transfer to a mobile device has debuggable set to on or off? I mean, how can I be sure that plugin is doing its job properly. Since long time ago I am used not to trust any action which result I can't visually verify.

On a standard phone with USB debugging disabled, it will allow any application to debug the App. This will effectively allow any malicious application to gain full access to the App.

See https://labs.mwrinfosecurity.com/blog/2011/07/07/debuggable-apps-in-android-market/ for a detailed description of this problem.

  • 19
Reply Report

It's possible that it could slow down their mobile device, especially if you have a lot of debug statements in your application. It's also possible that a malicious user could learn more about the inner-workings of your app then you'd like them to.

Regarding the golden rule, you're absolutely right. It's a good idea to turn that off, just to be safe.

  • 7
Reply Report
      • 2
    • @flarn2006 - My thought was that it might be possible for a hacker to learn about the inner workings in order to launch some kind of attack against other users of that same app. For instance, we wouldn't want someone to see the inner workings of the Citibank app and then figure out how to write some kind of exploit that would capture information of other Citibank app users and send that off to the hacker's server. I'm not an expert on security, but that was my original thought back then. Hope this helps!
      • 1
    • @jmort253 I certainly wouldn't want to use the Citibank app if its security was at all dependent on people not knowing the inner workings of an app on their own phone. That's security through obscurity, and it's unreliable. You may say it's better than no protection from that, just in case there are any such bugs that could be found that way, but then that increases the temptation for the devs to ignore bugs that could only be found that way (making the false assumption no one will) and also makes it more difficult for independent white hats to find bugs to report to the developers.
    • I believe that Android adds more code to the source code in order to allow debugs but which has a performance impact. It is better remove debug statements in any language though.
      • 1
    • I don't see how examining (or even altering) the app's inner functioning done by the owner of the device himself could be considered malicious.