WebView debugging can be enabled via “WebView.setWebContentsDebuggingEnabled(true)”. Leaving WebView debugging enabled in production Android apps is a bad idea. Anyone who gets hold of the unlocked phone can access the app’s data forever.

Consider this, the Tripit app exposes WebView debugging, and by using that I can read all the files inside the private data directory. As an example, by connecting a user’s unlocked mobile phone to my laptop, I can extract TripIt OAuthToken.

First, connect the phone via ADB, open chrome://inspect in the Chrome browser, click “inspect” below “com.tripit” and enter the following in there.

window.location="file:///data/data/com.tripit/shared_prefs/com.tripit.xml"
document.getElementsByTagName("html")[0].innerHTML

Now, you can see all the entries like

<string name=”oauthTokenSecret”>f731d36cdbf9006f917307…</string>

These auth tokens can be copied and used to get permanent access to the user’s TripIt account.