Recently, we found that Android’s debugging feature could be used to steal information from apps running on an Android device. We won’t go into the full details of the problem here, but here is the short version: with some effort, an app can be set up on Android to debug another running app. This debugging app would have access to all the information the debugged app has, so items like user names and passwords are trivial to steal.
Before we go any further, however, we need to be clear what versions of Android are affected. This vulnerability is only in version 2.3 (Gingerbread) or earlier. Practically all Android devices sold today run newer versions, as Gingerbread was last updated in September 2011. However, Google’s own numbers indicate that more than half of all Android devices in use still run these potentially older versions of Android.
In a way, this problem serves as a microcosm of the issues surrounding the entire Android ecosystem. Let’s divide the ecosystem into three parties: app developers, Google and telecom companies, and end users. What can each segment do?
In this particular instance, for an app to be vulnerable to being debugged it has to have been set to be debuggable in the first place. In general, debuggable versions of apps should not be released to the public. (Approximately 5% of apps in the Top Free apps list are set to be debuggable, so the risk is not insignificant.)
In general, however, “best practices” for mobile apps may not be as set in stone as they are for desktop applications. It would be a good idea for mobile developers to consider the security of their apps, not just their features and ease-of-use.