Android Webview debugging enabled¶
ID: java/android/webview-debugging-enabled Kind: path-problem Security severity: 7.2 Severity: warning Precision: high Tags: - security - external/cwe/cwe-489 Query suites: - java-code-scanning.qls - java-security-extended.qls - java-security-and-quality.qls Click to see the query in the CodeQL repository
The WebView.setWebContentsDebuggingEnabled method enables or disables the contents of any WebView in the application to be debugged.
You should only enable debugging features during development. When you create a production build, you should disable it. If you enable debugging features, this can make your code vulnerable by adding entry points, or leaking sensitive information.
Recommendation¶
Ensure that debugging features are not enabled in production builds, such as by guarding calls to WebView.setWebContentsDebuggingEnabled(true) by a flag that is only enabled in debug builds.
Example¶
In the first (bad) example, WebView debugging is always enabled. whereas the GOOD case only enables it if the android:debuggable attribute is set to true.
// BAD - debugging is always enabled WebView.setWebContentsDebuggingEnabled(true); // GOOD - debugging is only enabled when this is a debug build, as indicated by the debuggable flag being set. if (0 != (getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE)) { WebView.setWebContentsDebuggingEnabled(true); } References¶
Android Developers: setWebContentsDebuggingEnabled.
Android Developers: Remote debugging WebViews.
Common Weakness Enumeration: CWE-489.