• CodeQL query help documentation »
• CodeQL query help for Java and Kotlin »

Android Webview debugging enabled

ID: java/android/webview-debugging-enabled
Kind: path-problem
Security severity: 7.2
Severity: warning
Precision: high
Tags:
   - security
   - external/cwe/cwe-489
Query suites:
   - java-code-scanning.qls
   - java-security-extended.qls
   - java-security-and-quality.qls

Click to see the query in the CodeQL repository

The WebView.setWebContentsDebuggingEnabled method enables or disables the contents of any WebView in the application to be debugged.

You should only enable debugging features during development. When you create a production build, you should disable it. If you enable debugging features, this can make your code vulnerable by adding entry points, or leaking sensitive information.

Recommendation

Ensure that debugging features are not enabled in production builds, such as by guarding calls to WebView.setWebContentsDebuggingEnabled(true) by a flag that is only enabled in debug builds.

Example

In the first (bad) example, WebView debugging is always enabled. whereas the GOOD case only enables it if the android:debuggable attribute is set to true.

// BAD - debugging is always enabled 
WebView.setWebContentsDebuggingEnabled(true);

// GOOD - debugging is only enabled when this is a debug build, as indicated by the debuggable flag being set.
if (0 != (getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE)) {
    WebView.setWebContentsDebuggingEnabled(true);
}

References

• Android Developers: setWebContentsDebuggingEnabled.

• Android Developers: Remote debugging WebViews.

• Common Weakness Enumeration: CWE-489.

• © GitHub, Inc.
• Terms
• Privacy