Strip Debug Info
| Plan | Platforms | MASVS |
|---|---|---|
| Team | Android | MASVS-RESILIENCE-3 |
Overview
Strip Debug Info removes debug metadata, comments, and logging statements from the application's compiled Java and Kotlin bytecode (smali files) before final APK assembly. This control makes reverse engineering significantly harder by eliminating human-readable context clues that attackers rely on when analyzing decompiled code.
The control strips all non-essential debugging directives while preserving the structural information required for the Dalvik/ART runtime to execute the code correctly.
How It Works
During the APK build and wrapping process, StripDebugInfo performs four transformations on all smali files in the application:
- Debug Directive Removal — Strips
.source,.line,.local,.param,.prologue, and.epiloguedirectives that encode source file names, line numbers, local variable names, and parameter names. Preserves.locals(register count) which is required for bytecode execution.
- Comment Obfuscation — Replaces all comment lines (lines starting with
#) with# ;to remove human-readable annotations while maintaining file structure.
- Logging Elimination — Replaces common managed logging calls with
nopinstructions, including AndroidLog,System.outandSystem.errstyle output, Timber, SLF4J, andjava.util.loggingcalls. It preserves utility checks such asLog.isLoggable()and stack-trace formatting helpers because those can affect program logic.
- Kotlin Metadata Stripping — Removes
@kotlin.Metadataruntime annotations that encode original class, method, and field names in d1/d2 arrays, preventing recovery of pre-obfuscation structure.
Additionally, the control removes android:usesCleartextTraffic="true" from the AndroidManifest.xml to eliminate cleartext traffic indicators.
How to Enable the Control
Navigate to Code Obfuscation from the AppTego portal, and expand the Metadata Reduction section. Under this section you will find the Strip Debug Info control. Click Enable to apply it to the next protected build.
API Configuration Example
{
"StripDebugInfo": {
"protection": true
}
}| Field | Purpose |
|---|---|
protection | Enables strip debug info for protected builds. |
Threats Mitigated
Reverse Engineering via Debug Metadata Attackers decompiling APKs to smali bytecode rely heavily on debug information to understand application logic:
.sourcedirectives reveal original source file names and project structure.linedirectives map bytecode instructions back to source line numbers.localand.paramdirectives expose variable and parameter names chosen by developers (e.g.,password,apiKey,secretToken)
By stripping this metadata, the control forces attackers to analyze raw bytecode without contextual clues, significantly increasing the time and expertise required for successful reverse engineering.
Information Leakage via Logging Applications frequently log sensitive information during development, such as user credentials, session tokens, or API responses. Even when log levels are configured for production, leftover logging code can create avoidable leakage risk. This control removes logging statements from the protected artifact so sensitive data is not revealed through log output.
Kotlin Reflection Attacks Kotlin's @Metadata annotations encode the original structure of classes before obfuscation, allowing tools to reconstruct readable Kotlin signatures. Stripping these annotations closes a major reverse engineering vector for Kotlin applications.
Caveats
Loss of Crash Trace Clarity Stripped debug information means that stack traces from production crashes will contain only obfuscated class names and no line numbers. This makes crash analysis and debugging more difficult unless you maintain a mapping file or symbol server with the original debug metadata.
No Effect on Native Code This control operates only on Java/Kotlin bytecode (smali files). It does not strip debug symbols from native .so libraries or suppress native libraries that emit directly to Android logging APIs. Native library symbols and native logging are controlled by NDK build flags, linker settings, and library-specific logging configuration.
Logging Removal is Permanent Once logging calls are stripped and the APK is built, they cannot be re-enabled without rebuilding from source. Ensure you have alternative mechanisms (remote logging, analytics) for production monitoring.
Compatibility with Obfuscators This control is designed to work alongside ProGuard/R8 obfuscation. Apply StripDebugInfo after ProGuard processes the code to remove any residual debug metadata that ProGuard may preserve.
Support Matrix
| Platform | Minimum Version | Support Level |
|---|---|---|
| Android | API 26+ | ✅ Full Support |
| iOS | N/A | ❌ Not Supported |
Plan Requirement
TEAM plan or higher required. This control is not available on FREE or SOLO plans.
Related Controls
- Strip Debug Symbols (iOS) — Strips dSYM debugging metadata from iOS binaries using Xcode's
STRIP_INSTALLED_PRODUCTsetting - Prevent All Debug Logs — Applies the managed logging removal pass without the broader metadata stripping behavior
- RenamePrivateMembers — Renames private fields and methods in smali bytecode to make reverse engineering harder
- RenameClasses — Renames classes to generic names like
a,b,cto obscure application structure - EncryptAllCode — Encrypts DEX bytecode and loads it dynamically at runtime for maximum obfuscation