search

AppLovin / AppLovin-MAX-SDK-Android

Other
210 stars 95 forks source link

Debug mode is enabled for WebViews #569

Closed kreativityapps closed 8 months ago

kreativityapps commented 8 months ago

MAX SDK Version

11.11.2

Device/Platform Info

Android

Current Behavior

Static analysis found that:

Calling setWebContentsDebuggingEnabled(true) enables a global switch that allows an attached PC to eavesdrop and modify on all communication inside a WebView element. This can be used to modify the behavior of a WebView in an unintended way.

Note that not calling setWebContentsDebuggingEnabled(true) is necessary to prevent debugging, but is not sufficient. It might still be possible for an adversary to connect a debugger and use it to reverse-engineer or tamper with the app’s behaviour.

The issue is at:

com.applovin.impl.adview.d
Line 9 in com/applovin/impl/adview/SourceFile
com.applovin:applovin-sdk
setWebContentsDebuggingEnabled(true)

Can you please verify if this is the case and disable it for production if it's not necessary. This might cause also higher cpu and memory usage.

Expected Behavior

No response

How to Reproduce

Run an analysis from https://appsweep.guardsquare.com/ for example.

Additional Info

No response

thomasmso commented 8 months ago

Thanks for reporting this. The code path exists in our SDK, but it does not actually run.