USB Debugging May Be Hazardous To Your Health
Being able to debug apps on off-the-shelf Android hardware is a major blessing, one that countless Android developers (including myself) are grateful for. However, there are costs involved with this feature.
Specifically, if your device has USB debugging enabled, anyone who gets their hands on your device can blow past the keyguard (swipe, PIN, password, whatever) and access your device directly. No reboot is required, and so whole-disk encryption is of no benefit.
I will not go into details of the attack here. If you want details, the attack has been written up in a couple of places (or, if I know you, drop me a line). Suffice it to say it is not, strictly speaking, relying on any undocumented security flaws or the like. Instead, the attack uses a combination of standard OS capabilities, each of which have legitimate uses, but happen to combine to cause this privacy issue.
Unfortunately, presumably because of this, the official answer from the Android Security team is that “this is not a bug”, despite the privacy implications for Android developers.
The safest course of action is to disable USB debugging on any device that has access to private information of yours. However, this is an annoyance for developers whose only Android device for testing is also the device they use for daily personal or business affairs.
Ideally, IMHO, the OS would have two capabilities:
It would expand the USB debugging option in Settings, replacing the current checkbox with a three-option list: off, always on, or on-while-connected. The latter option would cause the OS to automatically turn off USB debugging when the USB cable is unplugged.
It would have a built-in app widget to toggle on and off USB debugging.
These would allow developers to manually turn on and off USB debugging without wading through a couple of layers of the Settings app. The combination of the app widget and the on-while-connected setting would make it easy to keep USB debugging off except while actively working on development – just tap the app widget when plugging in the USB cable to debug, and unplug the USB cable to turn off debugging.
Alas, this does not exist. While it is possible to implement this as an SDK app, it would require an everlasting service or frequent polling (to monitor the state of the USB debugging option) and would require a rooted device (to install the app on the system partition, to be able to change the state of the USB debugging option).
Developers with rooted Android devices can find app widgets on the Play Store and elsewhere that allow toggling on and off USB debugging, though this does not help those with unrooted devices.
In practice, the risk caused by this issue is not that great for most people. It requires you to lose your device and for that device to wind up in the hands of somebody who knows about this exploit. However, it is a bigger deal for developers who lives put them at constant risk of incarceration (e.g., dissidents in Arab Spring-style movements), as it is reasonably likely that smartphone forensic tools incorporate this exploit.
Want an expert opinion on your Android app architecture decisions? Perhaps Mark Murphy can help!