Flipper: Question: Enabling Flipper for non debuggable release builds

Hey Nacho!

We do not support Flipper in any form of non-debug builds. We do not support Flipper in any non-debug builds and see this as a pretty immovable line on our end. What I don't know of the top of my head is what we use the debuggable flag for. I think this could be the run-as command, but I could be wrong here. I'll ask someone.

Hi @mrmans0n,

passy is right, it's a requirement for the adb run-as command which we use to secure the connection. This prevents other apps or websites from being able to connect to your app.

If you don't want to root, an option would be to manage your own server and client certificates, instead of letting flipper manage them for you automatically. Right now flipper desktop creates self-signed certs in ~/.flipper/certs, and it also writes a client cert into files/sonar within the mobile apps data partition.

If you deployed the contents of those files to desktops before flipper runs, and also into your mobile app (it could write them on startup before starting the flipper client) then that would work, but bear in mind that anyone in possession of the app files (~/.flipper/certs) will be able to connect to your app.

There's one more option, if you can test on rooted devices or emulators. It should be possible to make Flipper work even on non-debuggable apps, because we could use su instead of run-as, like was done for non-application use cases in f4b0898de540c95457abe783f03e866c5d846468 but this would require some more involved changes in the desktop app code.

Thanks a lot for your answers, Pascal and John!

If we were to do something with the certificates, as @jknoxville suggested, would this bypass the "app is not debuggable" error, or would that also require desktop app changes?

Provided I'm not forgetting anything, it would just work and you wouldn't need to change any desktop code.

You could test this fairly easily by doing the following:

• Run flipper alongside a debuggable app (your debug build where flipper is working).
• Extract the files from the mobile apps container (replace com.facebook.flipper.sample with your apps package):
  
  
  
  • ./scripts/debugging/android_sonar_dir.sh ls com.facebook.flipper.sample will list the files you need. Do this while the app is successfully connected to flipper to ensure you're copying a working set of files.
  
  
  • ./scripts/debugging/android_sonar_dir.sh pull com.facebook.flipper.sample app.csr app.csr will pull a single file. Do this for each file listed by the previous command.
  
  
• Now you've got a bunch of client files that will allow an app to connect to your flipper instance. Get your non-debuggable android app to write these files to files/sonar/ before it starts the flipper client, then it should bypass the certificate exchange (and thus bypass the need to be debuggable) and connect straight to your desktop app.

Things you need to know:

• The desktop app creates new certificates for itself when they don't exist, or if it notices something wrong with them (like they've expired). If this happens, your deployed client certs won't match anymore. This should be infrequent but can happen.
• If you're going to use the same client certs in your mobile build for several people, the files their desktop apps use (~/.flipper/certs/) will all need to accept that client, so you'll have to take care of securely deploying them to your testers computers, rather than letting flipper generate them itself.
• Don't leak those desktop files. They will allow anyone to connect to your built app.
• As mentioned by passy we only use (and support) Flipper in debug builds. While I'm not aware of any, it's possible that there are other things that prevent it from working in release builds, so you'll be in uncharted waters there and we may not be able to help further.

Hey there, it looks like there has been no activity on this issue recently. Has the issue been fixed, or does it still require the community's attention? This issue may be closed if no further activity occurs. You may also label this issue as a "Discussion" or add it to the "Backlog" and I will leave it open. Thank you for your contributions.

Closing this issue after a prolonged period of inactivity. If this issue is still present in the latest release, please feel free to create a new issue with up-to-date information.