保護DataHogo
Security Encyclopedia/OWASP Mobile Top 10
mediumCWE-16M8:2024

Security Misconfiguration (Mobile)

Mobile app ships with debug mode enabled, excessive permissions, exported activities, or backup allowed — exposing data and functionality to other apps.

How It Works

Mobile security misconfiguration includes debug mode left enabled in release builds, requesting unnecessary permissions, Android components exported without protection, allowing app data backup, or not using the latest security features. Debug mode can expose logging, enable arbitrary code execution, and bypass security checks. Excessive permissions give the app (and any attacker who compromises it) access to sensitive device resources.

Vulnerable Code
<!-- AndroidManifest.xml -->
<application
  android:debuggable="true"
  android:allowBackup="true">
  <activity
    android:name=".AdminActivity"
    android:exported="true" />
Secure Code
<!-- AndroidManifest.xml -->
<application
  android:debuggable="false"
  android:allowBackup="false">
  <activity
    android:name=".AdminActivity"
    android:exported="false" />

Real-World Example

In 2020, a popular Indian payment app (Paytm) was found with android:debuggable=true in its production build. This allowed attackers to attach a debugger, inspect memory, and potentially extract sensitive payment information.

How to Prevent It

  • Always set debuggable=false in release builds
  • Request only necessary permissions
  • Set exported=false for internal components
  • Disable android:allowBackup or encrypt backup data

Affected Technologies

MobileReact NativeFlutter

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Improper Credential Usage

critical

Hardcoded API keys, passwords, or tokens directly in mobile app source code — easily extracted by decompiling the app bundle.

CWE-798M1:2024

Mobile Supply Chain Security

medium

Vulnerable SDKs, outdated native libraries, or compromised third-party modules in your mobile app introduce security risks from your dependencies.

CWE-1395M2:2024

Insecure Authentication/Authorization

high

Mobile apps with weak authentication — storing sessions insecurely, missing token refresh, or authorization checks only on the client side.

CWE-287M3:2024

Insufficient Input/Output Validation

medium

Mobile apps that don't validate user input or sanitize output are vulnerable to injection attacks, data corruption, and unexpected behavior.

CWE-20M4:2024