setAllowUniversalAccessFromFileURLs / setAllowFileAccessFromFileURLs let remote pages read local files via file:// URLs.
How it's exploited
setAllowFileAccessFromFileURLs lets a file:// page read other local files via XHR. One injected HTML file (downloads, cache) can exfiltrate cookies databases and private files through the WebView.
Why it matters
Local-file boundary inside the app breaks; web content reads app-private storage.
How to fix it
Set setAllowFileAccessFromFileURLs(false) and setAllowUniversalAccessFromFileURLs(false) (default on modern APIs; check legacy code).
Serve packaged content via WebViewAssetLoader over https:// app assets instead of file:// URLs.