NowSecure static analysis: Allowing Debuggable Webviews Allows Unintended Access to Device Data

[edwindwalker]

Finding Description

The app is allowing debuggable webviews. If an attacker gained access to an unlocked device, they can use those webviews to access data on the device. That data can even be inside the app's private data folder which is normally protected from outside interference. Any secrets contained within the directory are completely compromised.

Steps to Reproduce

This test looks in the application code for instances where setWebContentsDebuggingEnabled has been set to true.

Business Impact

The app is allowing certain webpages to have access to device data that they really should not be able to access. If someone gets accessed to the unlocked device they would be able to see and modify significant amounts of potentially sensitive data on the device, bypassing normal protections.

Remediation Resources

In a production build of an application, setWebContentsDebuggingEnabled should not be set to true. The evidence table lists the places where this has occurred inside the app's decompiled binary.

Risk and Regulatory Information

Severity: high CVSS: 7.1

• CWE: 200
• ioXt: SI111
• FISMA MED: SC-28 PROTECTION OF INFORMATION AT REST, SI-10 INFORMATION INPUT VALIDATION
• Risk OWASP: Mobile Top 10: M7-Client Code Quality, MASVS 6.5, MASVS v2.0 6.3
• GDPR: Risks violating Article 25, Risks violating Article 32
• FFIEC: May violate D3.PC.Im.I.6
• PCI: May violate requirement 3.1 through 3.4
• HIPAA: May violate §164.312(a)(1): Standard: Access control.
• CCPA: Risks violating CCPA: exfiltration, theft, or disclosure of PII
• CWE Top 25: 2021 CWE Top 25 Most Dangerous Software Errors

Application

• Platform: android
• Package: com.accuweather.android

See more detail in the NowSecure Report