The app is allowing debuggable webviews. If an attacker gained access to an unlocked device, they can use those webviews to access data on the device. That data can even be inside the app's private data folder which is normally protected from outside interference. Any secrets contained within the directory are completely compromised.
Steps to Reproduce
This test looks in the application code for instances where setWebContentsDebuggingEnabled has been set to true.
Business Impact
The app is allowing certain webpages to have access to device data that they really should not be able to access. If someone gets accessed to the unlocked device they would be able to see and modify significant amounts of potentially sensitive data on the device, bypassing normal protections.
Remediation Resources
In a production build of an application, setWebContentsDebuggingEnabled should not be set to true. The evidence evidence table lists the places where this has occurred inside the app's decompiled binary.
Finding Description
The app is allowing debuggable webviews. If an attacker gained access to an unlocked device, they can use those webviews to access data on the device. That data can even be inside the app's private data folder which is normally protected from outside interference. Any secrets contained within the directory are completely compromised.
Steps to Reproduce
This test looks in the application code for instances where
setWebContentsDebuggingEnabled
has been set totrue
.Business Impact
The app is allowing certain webpages to have access to device data that they really should not be able to access. If someone gets accessed to the unlocked device they would be able to see and modify significant amounts of potentially sensitive data on the device, bypassing normal protections.
Remediation Resources
In a production build of an application,
setWebContentsDebuggingEnabled
should not be set totrue
. The evidence evidence table lists the places where this has occurred inside the app's decompiled binary.Risk and Regulatory Information
Severity: high CVSS: 7.1
Application
See more detail in the NowSecure Report