Security Issue: Debuggable WebViews Allow Malicious Apps to Access Sensitive Data

[GangChenGoCode]

The problem

• AFFECTED CODE com.plaid.link.Plaid$maybeSetWebviewDebugging$2

The following vulnerable source code was identified:

public final Object invokeSuspend(Object p2)
{
    kotlin.coroutines.intrinsics.IntrinsicsKt__IntrinsicsKt.getCOROUTINE_SUSPENDED();
    if (this.label != 0) {
        throw new IllegalStateException(call to 'resume' before 'invoke' with coroutine);
    } else {
        kotlin.ResultKt.throwOnFailure(p2);
        android.webkit.WebView.setWebContentsDebuggingEnabled(1);
        return kotlin.Unit.INSTANCE;
    }
}

• DESCRIPTION An App can enable debugging of web contents (HTML/CSS/JavaScript) by explicitly setting setWebContentsDebuggingEnabled to true. This flag is enabled in order to facilitate debugging of web layouts and JavaScript code running inside WebViews. However, when a WebView enables this setting any malicious App on the device can access data rendered in a WebView. WebViews on Android use the Chrome DevTools Protocol, which exposes the content on WebViews through Unix domain sockets. Any App on the device can connect to this socket and retrieve the contents in a WebView.

Environment

Android OS Version	above KitKat
Android Devices/Emulators	all

Steps to Reproduce

Static Code Scanning

Expected Result

• RECOMMENDATION The ability to debug WebView content is a useful feature to have during the development stages of the App. However, this setting must be turned off in production. By default, setWebContentsDebuggingEnabled is set to false, to explicitly set it to true only in debug builds refer to the secure code below.

• SECURE CODE //Enable WebView debugging only when debuggable is true at runtime. if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT) { if (0 != (getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE)) { WebView.setWebContentsDebuggingEnabled(true); } }

Screenshots

REGULATORY COMPLIANCE

This issue may be out of compliance with the following laws, policies, and standards:

OWASP Mobile Security M1 - Improper Platform Usage

OWASP ASVS: Application Security Verification Standard Configurations for production should be hardened to protect against common attacks, such as debug consoles, raise the bar for Cross-site Scripting (XSS) and Remote File Inclusion (RFI) attacks, and to eliminate trivial information discovery "vulnerabilities" that are the unwelcome hallmark of many penetration testing reports. (OWASP_ASVS_V_14_3)

[GangChenGoCode]

Appreciated any follow-ups here @zsweigart

[snehas13]

Request you to resolve this issue at the earliest.

[techouse]

Has this been addressed?

[melissaosullivan]

Hi, I think this actually is not a concern. I can see how it is confusing because there is a method called maybeSetWebviewDebugging which takes a parameter, but the parameter taken is not a boolean but the context. The method is:

  private suspend fun maybeSetWebviewDebugging(context: Context) {
    if (0 != context.applicationInfo.flags and ApplicationInfo.FLAG_DEBUGGABLE) {
      withContext(Dispatchers.Main) {
        WebView.setWebContentsDebuggingEnabled(true)
      }
    }
  }

So this is following the guidelines for explicitly setting only WebViews in debug builds to debuggable. Additionally we are removing the parameter in the next release so this will no longer be a source of confusion. Thanks!

[GangChenGoCode]

thanks @melissaosullivan