Dart Inappwebview Unsafe File Access
Description
Detects insecure file access configuration in Flutter InAppWebView where allowsLinkPreview, allowsInlineMediaPlayback, or similar file URL settings are enabled unsafely. This can allow malicious web content to access local files on the device, potentially leading to sensitive data exposure.
Detection Strategy
• Checks if the flutter_inappwebview package is imported in Dart code
• Scans for InAppWebViewSettings constructor calls or method invocations
• Examines arguments passed to InAppWebViewSettings to identify file access related parameters
• Reports vulnerability when unsafe file URL access settings are detected as enabled (true values) in the configuration
Vulnerable code example
import 'package:flutter_inappwebview/flutter_inappwebview.dart';
void vulnerableWebView() {
// VULNERABLE: allows file:// URLs to access local files
final settings = InAppWebViewSettings(
allowFileAccessFromFileURLs: true,
);
}✅ Secure code example
import 'package:flutter_inappwebview/flutter_inappwebview.dart';
void secureWebView() {
// SAFE: explicitly disabled to prevent local file access via file:// URLs
final settings = InAppWebViewSettings(
allowFileAccessFromFileURLs: false,
);
}Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.