PTKDMobile App Security
Knowledge base / PTKD-WEBVIEW-DEBUG
low M8 MASVS-RESILIENCE-4 static analysis PTKD-WEBVIEW-DEBUG

WebView remote debugging enabled

setWebContentsDebuggingEnabled is referenced; if enabled in production it exposes WebView contents to anyone with adb/devtools access.

How it's exploited

setWebContentsDebuggingEnabled(true) in production lets anyone with ADB attach Chrome DevTools to your WebViews: read the DOM, cookies, localStorage, and inject script into live sessions.

Why it matters

Session material and in-page data are one USB cable away on any device.

How to fix it

  1. Gate it on BuildConfig.DEBUG so release builds never enable WebView debugging.
Debug builds only
if (BuildConfig.DEBUG) WebView.setWebContentsDebuggingEnabled(true)

References