Skip to content

Debug mode enabled

Debug mode enabled


The android:debuggable attribute in the Application that is defined in the Android Manifest determines whether the application can be debugged.

Debug mode allows attackers to access the application filesystem and attach a debugger and access sensitive data or perform malicious actions.

The following steps can be used to start a debug session using jdb:

  • Use adb jdwp to identify the PID of the target application:
$adb jdwp
  • Create a communication channel using adb and attach to it using jdb:
$adb forward tcp:7777 jdwp:$(adb shell ps | grep "package-id")
$jdb -attach localhost:7777
  • Access the application filesystem:
$adb shell
$run-as package-id
$...insert malicious action...

An attacker can debug the application without access to source code and leverage it to perform malicious actions on behalf of the user, modify the application behavior or access sensitive data like credentials and session cookies.


Disable debug mode by setting the attribute android:debuggeable to false in the Application tag in the Android Manifest.

<application android:icon="@drawable/icon" android:debuggable="false">


    • MSTG_CODE_2
    • MSTG_CODE_2
    • REQ_2_2