Fluid Attacks Database

Description

Identifies when Android WebView debugging is enabled through setWebContentsDebuggingEnabled(true), which can expose sensitive information and allow attackers to inspect/manipulate web content in production apps. This debugging feature should only be enabled during development.

Weakness:

183 - Debugging enabled in production

Category: Functionality Abuse

Detection Strategy

• Check if android.webkit.WebView is imported in the source code

• Look for calls to setWebContentsDebuggingEnabled method

• Verify if the method is called with a true/enabled value as argument

• Report vulnerability if debugging is enabled through a constant true value or expression that evaluates to true

Vulnerable code example

import android.webkit.WebView;

public class VulnerableWebView {
    public void setupWebView() {
        WebView.setWebContentsDebuggingEnabled(true);  // Vulnerable: Enables remote debugging of WebView contents
    }
}

✅ Secure code example

import android.webkit.WebView;
import android.os.Build;

public class SecureWebView {
    public void setupWebView() {
        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT) {
            WebView.setWebContentsDebuggingEnabled(false);  // Safe: Prevents remote debugging of WebView contents
        }...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.