When application is debuggable you can attach a debugger, create a heap dump etc. Thats the default option in a debug build and off in release builds.
I have noticed that even the release apk is still debuggable on Android emulator with debuggable=false
Can someone explain why and how this is possible in android emulator? Has a rooted device the same ability?
In every device you can debug an application by looking to her logs, that's why some applications doesn't run if a debugger is on (like banking applications) to avoid reverse engineering by debugging (and obviously they will use obfuscation for offline reverse engineering). So if you are on android emulator and you have the source code you can attach the debug and debug it (in this case you will hit breakpoints but u can't see variables values).
You can check if your apk is debuggable by:
aapt dump xmltree your_app.apk AndroidManifest.xml | grep debug
Also go to: Android Studio -> Build -> Edit Build Type and check that the flavor and type you are using to release the apk isn't debuggable.
If you want that anybody can't debug your app logs you should check if a debuggable is attached and then don't start the app.
Also take present that Android uses Virtual Machine (Dalvik) so your instructions get translated to bytecode that is interpreted by the Virtual Machine, not to Machine Code like a C++ compiler do when you build an Portable Executable on Windows. So anybody that know how to reverse an apk can extract important information from your apk by reversing it in this way and, because it use bytecodes, he will get a more explained view of the apk components than he will get by reversing an Executable wrote on C++. In C++ if you reverse the code you just get low level code (so Assembly code) and it is a lot less human-like to understand (if you don't know assembly very well).
To avoid disassembly on java you should use obfuscation (as you use on scripting languages like Javascript).
So if your apk shouldn't be debuggable and reversable you should:
Stop the app and don't start it if a debug is attached or debuggin on the device is "on". (Avoid Debugging)
Use obfuscation. (Avoid Disassembling)
I hope this is helpful and that I didn't write anything wrong xD
Have a nice day and a nice coding! :D
Bye!
credits (Charuāļ)
