Set Debuggable to False
| Plan | Platforms | MASVS |
|---|---|---|
| Team | Android, iOS | MASVS-RESILIENCE-4 |
Overview
Set Debuggable to False helps ensure production apps do not run in a debuggable state. Debuggable builds and attached debuggers can expose memory, secrets, control flow, and protected business logic to attackers or reverse engineers.
On Android, AppTego hardens supported protected builds so the release application is not marked debuggable. On iOS, release builds can apply runtime anti-debugging behavior while development builds remain usable for normal QA and debugging workflows.
When To Use It
Use this control when:
- Your app handles credentials, payments, regulated data, paid content, or proprietary logic.
- Debugging production builds would create security or compliance risk.
- Your release process needs an additional guard against accidental debug configuration.
- You want anti-debugging coverage before sensitive runtime controls execute.
How It Works
On Android, AppTego applies build-time manifest hardening when this prevention control is enabled. At runtime, supported Android and iOS protections also check for debuggable app state and debugger attachment conditions appropriate to the platform. If the app is running in a state that violates the configured policy, AppTego fires your configured response.
Public documentation does not expose the exact system flags, platform calls, or process checks used by the control.
How to Enable the Control
Navigate to Preventative Controls from the AppTego portal, and expand the Runtime Environment Hardening section. Under this section you will find the Disable Debuggable Builds control. Click Enable to include it in the next protected build. Runtime anti-debugging behavior uses the packaged configuration, or live configuration where that service is enabled; Android manifest hardening requires a protected rebuild.
API Configuration Example
{
"DebuggablePrevention": {
"protection": true,
"detection": false,
"action": "close",
"title": "Debugging Detected",
"message": "This application cannot run in a debuggable state.",
"buttons": ["OK"],
"actions": ["close"],
"redirects": [""]
}
}| Field | Purpose |
|---|---|
protection | Enables build and runtime debuggable prevention. |
detection | Included for schema consistency; leave disabled unless directed by AppTego. |
action | Selects the response style, such as close, alert, log, or warn. |
title / message | User-facing text shown when a response is displayed. |
buttons / actions / redirects | Defines the available response buttons and their outcomes. |
Compatibility Notes
- Keep this control disabled or softened in local development builds where debuggers are expected.
- This control does not suppress application logs, host-app logcat output, or normal platform logging. Logging behavior is controlled separately by the app and build settings.
- Validate iOS behavior using the same signing style you plan to distribute.
- For runtime debugger activity after startup, pair this with Debuggable Detection or Debugger Detection.