Skip to content

Debug Symbols Present in the Application

Debug Symbols Present in the Application

Description

The application is shipped debug symbols and debug information such as debugging information, line numbers, and descriptive function or method names, which make it easier to reverse engineer.

It is noteworthy that most crash reporting tools support uploading symbols to perform stack trace symbolization and don't require symbols to be present in the application.

To verify that the native libraries are not shipped with debug symbols, use the following command:

readelf --debug-dump=info <library>

Recommendation

Remove all symbols and debug data from the application.

To do so, here are some recommendations:

  • Configure the build type to exclude debug information.
  • Use ProGuard to strip native debugging symbols.
  • Use the strip command to remove symbols from native libraries: 
    strip -s <library>

Standards

  • OWASP_MASVS_L1:
    • MSTG_CODE_3
  • OWASP_MASVS_L2:
    • MSTG_CODE_3
  • PCI_STANDARDS:
    • REQ_2_2
    • REQ_6_2