In the application manifest element of an android application, setting debuggable property to true could introduce a security risk.

It's more easy to perform reverse engineering and inject arbitrary code in the context of a debuggable application.

Ask Yourself Whether

You are at risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

It is not recommended to release debuggable application. Avoid hardcoding the debug mode in the manifest because the build tool will add the property automatically and assign the correct value depending on the build type.

Sensitive Code Example

In AndroidManifest.xml the android debuggable property is set to true:

<application
  android:icon="@mipmap/ic_launcher"
  android:label="@string/app_name"
  android:roundIcon="@mipmap/ic_launcher_round"
  android:supportsRtl="true"
  android:debuggable="true"
  android:theme="@style/AppTheme">
</application>  <!-- Sensitive -->

Compliant Solution

In AndroidManifest.xml the android debuggable property is set to false:

<application
  android:icon="@mipmap/ic_launcher"
  android:label="@string/app_name"
  android:roundIcon="@mipmap/ic_launcher_round"
  android:supportsRtl="true"
  android:debuggable="false"
  android:theme="@style/AppTheme">
</application> <!-- Compliant -->

See