Remote Debugging still exist after released version I want to remove it

can anyone please suggest way to remove my app from remote debugging while chrome://inspect after releasde version?
because it is still show there!
I already signed it with my keystore

Hi everyone, I have the same issue as above…

.apk has been generated with --release flag, signed and uploaded to the Play Store. But the remote debugging is still available, making it a big security risk for all Ionic-based applications… Not only my application, I realized I am able to see other applications on my phone build with Ionic too by third-parties… My config:

cli packages: 
    @ionic/cli-utils  : 1.9.2
    ionic (Ionic CLI) : 3.9.2

global packages:
    Cordova CLI : 7.0.1 

local packages:
    @ionic/app-scripts : 2.1.3
    Cordova Platforms  : android 6.2.3
    Ionic Framework    : ionic-angular 3.6.0

    Android SDK Tools : 25.2.5
    Node              : v6.10.2
    npm               : 3.10.10

The phone is rooted and running Kitkat. On my other device on Lollipop, Interestingly enough, I couldn’t see the remote debugging. Does someone knows how to fix? Despite being a big threat, I couldn’t find much info on the Internet.


Edit: by the way, it’s an Ionic 2 application, but I guess it makes little difference

Isn’t this caused by rooting your phone?

In general all apps can be taken apart (or observed), no matter what you do.

1 Like

If this constitutes a security risk at all for your app, let alone a big one, then your design is hopelessly flawed. You must assume that somebody with a copy of the app binary has access to anything that the app does, so if (for example) you are embedding encryption keys or passwords in your app, you need to stop doing that.

Thank for the replies. Actually, the reason I am confused is that even on a rooted phone, the remote debugging is not accessible on other versions of Android (Lollipop and Nougat).
If there is nothing we can do, we will take rapropos’s advice and reconsider the design accordingly. Thanks

To follow up on this, simply run unzip on an APK of your app. Everything is readily extractable, and if you think about it, it sort of has to be in order for the app to be installable. Just move all of your security to the server-side where you control the environment and you will be happy.

If you must store secrets client-side, you will need to come up with some solution that relies on something like a KDF that is seeded by something the user knows or has. The main obvious downside of systems like that is that there is (deliberately) no recourse if the user forgets their passphrase. If there was, the system would not be secure.

1 Like