Android Webview Debugging Enabled
ID |
kotlin.android_webview_debugging_enabled |
Severity |
high |
Resource |
Entry Points |
Language |
Kotlin |
Tags |
CWE:489, NIST.SP.800-53, PCI-DSS:6.5.6, android |
Description
Enabling WebView debugging in a production environment can expose sensitive data and application logic to unauthorized access.
Rationale
WebView debugging is a feature provided by Android to facilitate development and debugging of web content within applications. However, if left enabled in production builds, it can expose the WebView content to anyone with debugging tools, allowing inspection and potential tampering with sensitive data or application logic.
It is essential to ensure that WebView debugging is disabled in release versions to protect against unauthorized access and potential security breaches.
import android.os.Bundle
import android.webkit.WebView
import androidx.appcompat.app.AppCompatActivity
class WebViewActivity : AppCompatActivity() {
override fun onCreate(savedInstanceState: Bundle?) {
super.onCreate(savedInstanceState)
setContentView(R.layout.activity_webview)
val webView = findViewById<WebView>(R.id.webview)
WebView.setWebContentsDebuggingEnabled(true) // FLAW
}
}Remediation
To secure your application, ensure that WebView debugging is disabled in release builds. Use build configurations to automatically disable debugging in production environments, or explicitly set WebView.setWebContentsDebuggingEnabled(false) in production code.
import android.os.Bundle
import android.webkit.WebView
import androidx.appcompat.app.AppCompatActivity
class WebViewActivity : AppCompatActivity() {
override fun onCreate(savedInstanceState: Bundle?) {
super.onCreate(savedInstanceState)
setContentView(R.layout.activity_webview)
val webView = findViewById<WebView>(R.id.webview)
WebView.setWebContentsDebuggingEnabled(false)
}
}References
-
CWE-489 : Active Debug Code.