WebView debugging can be enabled via WebView.setWebContentsDebuggingEnabled(true)
. Leaving WebView debugging enabled in production Android apps is a bad idea. Anyone who gets hold of the unlocked phone can access the app’s data forever.
Consider this, the Tripit app exposes WebView debugging and by using that I can read all the files inside the private data directory. As an example, by connecting a user’s unlocked mobile phone to my laptop, I can extract TripIt OAuthToken.
First connect the phone via ADB, open chrome://inspect in the Chrome browser, then enter the following in there.
window.location="file:///data/data/com.tripit/shared_prefs/com.tripit.xml"
document.getElementsByTagName("html")[0].innerHTML
Now, you can see all the entries like
<string name=”oauthTokenSecret”>f731d36cdbf9006f917307…</string>
These auth tokens can be copied and used to get permanent access to the user’s TripIt account.
Original post at ashishb.net
Top comments (2)
Hey Ashish,
Thanks for the write up. :) Latest chrome does not allow you to load local resources when you 'inspect' the webview with setWebContentsDebuggingEnabled set to true. Do you happen to have any pointers on how to get around it?
Hi Tejas,
I don't think there is a way to get around it except to uses a rooted device or an emulator.