CodeQL documentation

Android Webview debugging enabled

ID: java/android/webview-debugging-enabled
Kind: path-problem
Severity: warning
Precision: high
   - security
   - external/cwe/cwe-489
Query suites:
   - java-code-scanning.qls
   - java-security-extended.qls
   - java-security-and-quality.qls

Click to see the query in the CodeQL repository

The WebView.setWebContentsDebuggingEnabled method enables or disables the contents of any WebView in the application to be debugged.

You should only enable debugging features during development. When you create a production build, you should disable it. If you enable debugging features, this can make your code vulnerable by adding entry points, or leaking sensitive information.


Ensure that debugging features are not enabled in production builds, such as by guarding calls to WebView.setWebContentsDebuggingEnabled(true) by a flag that is only enabled in debug builds.


In the first (bad) example, WebView debugging is always enabled. whereas the GOOD case only enables it if the android:debuggable attribute is set to true.

// BAD - debugging is always enabled 

// GOOD - debugging is only enabled when this is a debug build, as indicated by the debuggable flag being set.
if (0 != (getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE)) {


  • © GitHub, Inc.
  • Terms
  • Privacy