Android Security: Don’t leave WebView debugging enabled in production

WebView debugging can be enabled via “WebView.setWebContentsDebuggingEnabled(true)”. Leaving WebView debugging enabled in production Android apps is a bad idea. Anyone who gets hold of the unlocked phone can access the app’s data forever.

Consider this, the Tripit app exposes WebView debugging, and by using that I can read all the files inside the private data directory. As an example, by connecting a user’s unlocked mobile phone to my laptop, I can extract TripIt OAuthToken.

First, connect the phone via ADB, open chrome://inspect in the Chrome browser, click “inspect” below “com.tripit” and enter the following in there.

window.location="file:///data/data/com.tripit/shared_prefs/com.tripit.xml"
document.getElementsByTagName("html")[0].innerHTML

Now, you can see all the entries like

<string name=”oauthTokenSecret”>f731d36cdbf9006f917307…</string>

These auth tokens can be copied and used to get permanent access to the user’s TripIt account.

2 Replies to “Android Security: Don’t leave WebView debugging enabled in production”

  1. Hey Where I Have to Put This Code

  2. Updated the blog post with more details “First, connect the phone via ADB, open chrome://inspect in the Chrome browser, click “inspect” below “com.tripit” and enter the following in there.”

Leave a Reply

Your email address will not be published. Required fields are marked *