Testing for setWebContentsDebuggingEnabled() is Enabled

[kousha1999]

Platform: Android Description: I think it would be nice to add a testcase for checking that setWebContentsDebuggingEnabled() is enabled or not. Reference 1(blog.compass-security.com) Reference 2 (dev.to)

[TheDauntless]

Thanks for your suggestion!

Since setWebContentsDebuggingEnabled only does something if the app has been built with debugging="true" in the manifest, this would automatically be covered under 7.2:

MSTG-CODE-2 The app has been built in release mode, with settings appropriate for a release build (e.g. non-debuggable).

I don't immediately see the risk of having this method called in a PRD app.

[cpholguera]

Agree with @TheDauntless, let's close this issue then. Thanks @kousha1999

[andyacer]

Hi @cpholguera, sorry to dig up an old issue here. My team and I just hunted through the MASTG and MASVS for this issue (setWebContentsDebuggingEnabled) and were surprised it wasn't included. Were there other discussions around this besides what's shown in this thread? I believe the reasoning stated above by @TheDauntless is incorrect. The Chrome Developer website states the opposite - that WebView debugging is unaffected by the declaration of android:debuggable="true". Our own testing confirms this as well.

Based on this and our tests, I believe a production application can accidentally ship with WebView debugging enabled.

Screenshot is from: https://developer.chrome.com/docs/devtools/remote-debugging/webviews/

[TheDauntless]

Thanks for digging up this old issue! It appears that the feature is indeed not affected by debuggable, and iOS actually recently added an API that allows this in PRD as well (https://webkit.org/blog/13936/enabling-the-inspection-of-web-content-in-apps/) so we'll add atomic tests for these, which will probably be in L2.