DEV Community

Ashish Bhatia
Ashish Bhatia

Posted on

Android Security: Don't leave WebView debugging enabled in production

WebView debugging can be enabled via WebView.setWebContentsDebuggingEnabled(true). Leaving WebView debugging enabled in production Android apps is a bad idea. Anyone who gets hold of the unlocked phone can access the app’s data forever.

Consider this, the Tripit app exposes WebView debugging and by using that I can read all the files inside the private data directory. As an example, by connecting a user’s unlocked mobile phone to my laptop, I can extract TripIt OAuthToken.

First connect the phone via ADB, open chrome://inspect in the Chrome browser, then enter the following in there.

window.location="file:///data/data/com.tripit/shared_prefs/com.tripit.xml"
document.getElementsByTagName("html")[0].innerHTML

Now, you can see all the entries like

<string name=”oauthTokenSecret”>f731d36cdbf9006f917307…</string>

These auth tokens can be copied and used to get permanent access to the user’s TripIt account.

Original post at ashishb.net

Top comments (2)

Collapse
 
tejas619 profile image
Tejas Khairnar

Hey Ashish,

Thanks for the write up. :) Latest chrome does not allow you to load local resources when you 'inspect' the webview with setWebContentsDebuggingEnabled set to true. Do you happen to have any pointers on how to get around it?

Collapse
 
ashishb profile image
Ashish Bhatia

Hi Tejas,

I don't think there is a way to get around it except to uses a rooted device or an emulator.