From f64f9c82cae483eeb11c674c83804fe7cc7be8a9 Mon Sep 17 00:00:00 2001
From: Hans-Christoph Steiner <hans@eds.org>
Date: Wed, 26 Nov 2025 13:02:08 +0100
Subject: [PATCH] scanner: check binaries for debuggable/testOnly

This used to be enforced by !1734, but that bitrotted away and no longer
works.  This is a better place to enforce this, since it is easier to
reliably find it in the APK rather than the source code.
---
 fdroidserver/scanner.py | 18 ++++++++++++++++--
 tests/test_scanner.py   |  4 +++-
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/fdroidserver/scanner.py b/fdroidserver/scanner.py
index f28e3803..f3c70b7f 100644
--- a/fdroidserver/scanner.py
+++ b/fdroidserver/scanner.py
@@ -659,7 +659,7 @@ def _get_tool():
     return scanner._SCANNER_TOOL
 
 
-def scan_binary(apkfile):
+def scan_binary(apkfile, allow_debuggable=False):
     """Scan output of dexdump for known non-free classes."""
     logging.info(_('Scanning APK with dexdump for known non-free classes.'))
     result = get_embedded_classes(apkfile)
@@ -674,6 +674,14 @@ def scan_binary(apkfile):
                 logging.debug("Problem: found class '%s'" % classname)
                 problems += 1
 
+    if common.is_debuggable_or_testOnly(apkfile):
+        msg = f"{apkfile}: debuggable or testOnly set in AndroidManifest.xml"
+        if allow_debuggable:
+            logging.debug(msg)
+        else:
+            logging.error(msg)
+            problems += 1
+
     logging.info(_('Scanning APK for extra signing blocks.'))
     a = common.get_androguard_APK(str(apkfile))
     a.parse_v2_v3_signature()
@@ -1141,6 +1149,12 @@ def main():
         nargs='*',
         help=_("application ID with optional versionCode in the form APPID[:VERCODE]"),
     )
+    parser.add_argument(
+        "--allow-debuggable",
+        action="store_true",
+        default=False,
+        help=_("Do not throw an error on APKs with the debuggable flag set."),
+    )
     parser.add_argument(
         "-f",
         "--force",
@@ -1185,7 +1199,7 @@ def main():
     appids = []
     for apk in options.appid:
         if os.path.isfile(apk):
-            count = scanner.scan_binary(apk)
+            count = scanner.scan_binary(apk, options.allow_debuggable)
             if count > 0:
                 logging.warning(
                     _('Scanner found {count} problems in {apk}').format(
diff --git a/tests/test_scanner.py b/tests/test_scanner.py
index 8da5d5cb..3fba4f23 100755
--- a/tests/test_scanner.py
+++ b/tests/test_scanner.py
@@ -925,4 +925,6 @@ class Test_main(unittest.TestCase):
 
             self.exit_func.assert_not_called()
             self.read_app_args_func.assert_not_called()
-            self.scan_binary_func.assert_called_once_with('local.application.apk')
+            self.scan_binary_func.assert_called_once_with(
+                'local.application.apk', False
+            )