Skip to content

MASTG-TEST-0227: Debugging Enabled for WebViews

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Overview

The WebView.setWebContentsDebuggingEnabled(true) API enables debugging for all WebViews in the application. This feature can be useful during development, but introduces significant security risks if left enabled in production. When enabled, a connected PC can debug, eavesdrop, or modify communication within any WebView in the application. See the "Android Documentation" for more details.

Note that this flag works independently of the debuggable attribute in the AndroidManifest.xml (see Debuggable Flag Enabled in the AndroidManifest). Even if the app is not marked as debuggable, the WebViews can still be debugged by calling this API.

Steps

  1. Run Static Analysis on Android with a tool such as semgrep on the app binary and look for uses of:
    • WebView.setWebContentsDebuggingEnabled being set to true.
    • ApplicationInfo.FLAG_DEBUGGABLE.

Observation

The output should list:

  • All locations where WebView.setWebContentsDebuggingEnabled is called with true at runtime.
  • Any references to ApplicationInfo.FLAG_DEBUGGABLE.

Evaluation

The test case fails if WebView.setWebContentsDebuggingEnabled(true) is called unconditionally or in contexts where the ApplicationInfo.FLAG_DEBUGGABLE flag is not checked.

Mitigations