M10: Extraneous Functionality

2 min read Advanced Security Topics

M10: Extraneous Functionality

Hidden backdoor functionality or internal development aids left in production code can be exploited by attackers.

// Android - Removing extraneous functionality
class ProductionSafetyManager {
    
    // VULNERABLE: Common extraneous functionality
    class DevelopmentLeftovers {
        // Bad: Hardcoded test accounts
        private val testAccounts = mapOf(
            "[email protected]" to "password123",
            "[email protected]" to "admin123"
        )
        
        // Bad: Debug endpoints in production
        fun setupDebugEndpoints(router: Router) {
            router.get("/debug/logs") { getAllLogs() }
            router.get("/debug/config") { getConfiguration() }
            router.post("/debug/crash") { throw RuntimeException("Test crash") }
        }
        
        // Bad: Verbose logging in production
        fun logSensitiveOperation(data: SensitiveData) {
            Log.d("Debug", "Processing: $data") // Logs sensitive data
        }
    }
    
    // SECURE: Production-safe implementation
    class ProductionSafeCode {
        
        init {
            // Remove all debug/test code in production
            if (!BuildConfig.DEBUG) {
                disableAllDebugFeatures()
            }
        }
        
        private fun disableAllDebugFeatures() {
            // Disable verbose logging
            if (BuildConfig.BUILD_TYPE == "release") {
                Timber.uprootAll()
                Timber.plant(CrashReportingTree())
            }
            
            // Remove test endpoints
            // Use build variants to exclude debug code
        }
        
        // Use build configuration for feature flags
        object Features {
            val isDebugMenuEnabled = BuildConfig.DEBUG
            val isVerboseLoggingEnabled = BuildConfig.DEBUG
            val isMockDataEnabled = BuildConfig.DEBUG && BuildConfig.FLAVOR == "mock"
        }
        
        // Secure configuration management
        class ConfigurationManager {
            fun getApiEndpoint(): String {
                return when (BuildConfig.BUILD_TYPE) {
                    "debug" -> BuildConfig.DEBUG_API_ENDPOINT
                    "staging" -> BuildConfig.STAGING_API_ENDPOINT
                    "release" -> BuildConfig.PRODUCTION_API_ENDPOINT
                    else -> throw IllegalStateException("Unknown build type")
                }
            }
        }
        
        // Code stripping with ProGuard/R8
        // proguard-rules.pro:
        /*
        -assumenosideeffects class android.util.Log {
            public static *** d(...);
            public static *** v(...);
            public static *** i(...);
            public static *** w(...);
            public static *** e(...);
        }
        
        # Remove debug classes
        -assumenosideeffects class com.example.app.debug.** {
            *;
        }
        */
    }
}