WebView debugging can be enabled via “WebView.setWebContentsDebuggingEnabled(true)”. Leaving WebView debugging enabled in production Android apps is a bad idea. Anyone who gets hold of the unlocked phone can access the app’s data forever.
Consider this, the Tripit app exposes WebView debugging, and by using that I can read all the files inside the private data directory. As an example, by connecting a user’s unlocked mobile phone to my laptop, I can extract TripIt OAuthToken.
First, connect the phone via ADB, open chrome://inspect in the Chrome browser, click “inspect” below “com.tripit” and enter the following in there.
Now, you can see all the entries like
These auth tokens can be copied and used to get permanent access to the user’s TripIt account.