Debug Symbols Present in the Application
Debug Symbols Present in the Application
Description
The application is shipped debug symbols and debug information such as debugging information, line numbers, and descriptive function or method names, which make it easier to reverse engineer.
It is noteworthy that most crash reporting tools support uploading symbols to perform stack trace symbolization and don't require symbols to be present in the application.
To verify that the native libraries are not shipped with debug symbols, use the following command:
readelf --debug-dump=info <library>
Recommendation
Remove all symbols and debug data from the application.
To do so, here are some recommendations:
- Configure the build type to exclude debug information by compiling in release mode.
android {
...
buildTypes {
release {
debuggable false
...
}
}
}
- Use ProGuard to strip native debugging symbols.
buildTypes {
...
release {
minifyEnabled true
proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
...
}
}
- Use the
strip
command to remove symbols from native libraries:
strip -s <library>
Links
Standards
- OWASP_MASVS_L1:
- MSTG_CODE_3
- OWASP_MASVS_L2:
- MSTG_CODE_3
- PCI_STANDARDS:
- REQ_2_2
- REQ_6_2
- OWASP_MASVS_v2_1:
- MASVS_RESILIENCE_3