Found setAllowFileAccess(true) or not set (enabled by default) in WebView. The attackers could inject malicious script into WebView and exploit the opportunity to access local resources.
REMEDIATION:
This vulnerability can be mitigated by disabling local file system access (which is enabled by default) by setting yourWebView.getSettings().setAllowFileAccess(false). This precaution disables the file system access only. Assets and resources are still accessible using URIs, like file:///android_asset and file:///android_res. The attackers can still use method yourWebView.loadUrl("file:///data/data/[your_package_name]/[file]"); to access app's local file.
Vulnerable Code:
Found
setAllowFileAccess(true)or not set (enabled by default) in WebView. The attackers could inject malicious script into WebView and exploit the opportunity to access local resources. REMEDIATION: This vulnerability can be mitigated by disabling local file system access (which is enabled by default) by settingyourWebView.getSettings().setAllowFileAccess(false). This precaution disables the file system access only. Assets and resources are still accessible using URIs, likefile:///android_assetandfile:///android_res. The attackers can still use methodyourWebView.loadUrl("file:///data/data/[your_package_name]/[file]");to access app's local file. Vulnerable Code: