Android Security: Don’t leave WebView debugging enabled in production

WebView debugging can be enabled via “WebView.setWebContentsDebuggingEnabled(true)”. Leaving WebView debugging enabled in production Android apps is a bad idea. Anyone who gets hold of the unlocked phone can access the app’s data forever.

Consider this, the Tripit app exposes WebView debugging and by using that I can read all the files inside the private data directory. As an example, by connecting a user’s unlocked mobile phone to my laptop, I can extract TripIt OAuthToken.

First connect the phone via ADB, open chrome://inspect in the Chrome browser, then enter the following in there.

Now, you can see all the entries like

<string name=”oauthTokenSecret”>f731d36cdbf9006f917307…</string>

These auth tokens can be copied and used to get permanent access to the user’s TripIt account.

Leave a Reply

Your email address will not be published. Required fields are marked *