Swift Webview File Access Enabled
Description
Detects insecure WebKit configuration in Swift applications that enables unrestricted local file access in WebViews. This could allow malicious web content loaded in the WebView to access sensitive files on the device's filesystem, potentially leading to information disclosure or data theft.
Detection Strategy
• Check for WebKit framework imports in the Swift code
• Locate setValue method calls on WebView configuration objects
• Verify if the setValue call is configuring file access permissions
• Confirm the configuration explicitly allows local file access through parameter values
• Report vulnerability when WebView is configured to allow unrestricted local file system access
Vulnerable code example
import WebKit
func configureWebView() {
let config = WKWebViewConfiguration()
let prefs = WKPreferences()
// VULNERABILITY: Enables arbitrary file access from file:// URLs, allowing potential data exfiltration
prefs.setValue(true, forKey: "allowFileAccessFromFileURLs")
config.preferences = prefs...✅ Secure code example
import WebKit
func configureWebView() {
let config = WKWebViewConfiguration()
let prefs = WKPreferences()
// SAFE: Disables file access from file:// URLs to prevent data exfiltration
prefs.setValue(false, forKey: "allowFileAccessFromFileURLs")
config.preferences = prefs...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.