What does ro.debuggable=1 actually do?

Question

I am trying to understand what the Android system property ro.debuggable actually does. I am using Arm Streamline to profile my android application and the documentation states that I can do application profiling using debuggable applications (applications built with the debuggable flag), or I can do a system-wide profile on a rooted device. Reading around I came across the ro.debuggable property and wondered if this would allow me to debug apps not built with the debuggable flag.

Best understanding I can glean so far from documentation is thet ro.debuggable=1 is usually the setting for eng and user-debug builds and somehow allows for a device to be rooted (though does not actually root a device), but what does it actually do? Does it just determine if a device can be rooted or not?

Answer 1

Let's start from the lifecycle of the Android application process:

1. Some application requests system_server to start an app to handle its request. For example, when a user clicks the WeChat icon on the launcher, the launcher requests system_server to start the WeChat application to respond to the user's request.

2. system_server resolves the request (actually the request Intent) and finally makes a decision to spawn a new process for WeChat to fulfill the request.

3. system_server calls ProcessList.startProcess to spawn a new process to host WeChat. The process being spawned needs some basic information about the application it will run, such as instruction-set, target-api, UID, etc. One of the important pieces of information is whether the application is debuggable. ProcessList retrieves most of this information from PackageManagerService. For example, the debuggable option is set in the APK's manifest attribute android:debuggable.

4. ProcessList collects these options and forwards them to ZygoteProcess. ZygoteProcess writes these options to the zygote or zygote64 process using a Socket.

5. ZygoteServer receives the socket request and processes it in ZygoteConnection.processCommand, parsing the buffer into ZygoteArguments.

6. Some default behaviors take effect on the parsed ZygoteArguments. For example, applyDebuggerSystemProperty. If this is an ENG build or USER_DEBUG build with persist.debug.dalvik.vm.jdwp.enabled set to 1, the debug options are enabled regardless of the options passed by system_server (the code in the main branch is slightly different from Android 13, which only takes into account the ro.debuggable property).

7. The newly spawned process uses the options to set up a JDWP server in EnableDebugFeatures, making the process present in DDMS and debuggable.

In summary, the ro.debuggable property has nothing to do with root access but is a property that affects the debug server of every app process in Android 13 (as explained above).