Closed GangChenGoCode closed 6 months ago
Appreciated any follow-ups here @zsweigart
Request you to resolve this issue at the earliest.
Has this been addressed?
Hi, I think this actually is not a concern. I can see how it is confusing because there is a method called maybeSetWebviewDebugging
which takes a parameter, but the parameter taken is not a boolean but the context. The method is:
private suspend fun maybeSetWebviewDebugging(context: Context) {
if (0 != context.applicationInfo.flags and ApplicationInfo.FLAG_DEBUGGABLE) {
withContext(Dispatchers.Main) {
WebView.setWebContentsDebuggingEnabled(true)
}
}
}
So this is following the guidelines for explicitly setting only WebViews in debug builds to debuggable. Additionally we are removing the parameter in the next release so this will no longer be a source of confusion. Thanks!
thanks @melissaosullivan
The problem
The following vulnerable source code was identified:
Environment
Steps to Reproduce
Static Code Scanning
Expected Result
RECOMMENDATION The ability to debug WebView content is a useful feature to have during the development stages of the App. However, this setting must be turned off in production. By default, setWebContentsDebuggingEnabled is set to false, to explicitly set it to true only in debug builds refer to the secure code below.
SECURE CODE //Enable WebView debugging only when debuggable is true at runtime. if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT) { if (0 != (getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE)) { WebView.setWebContentsDebuggingEnabled(true); } }
Screenshots
REGULATORY COMPLIANCE
This issue may be out of compliance with the following laws, policies, and standards:
OWASP Mobile Security M1 - Improper Platform Usage
OWASP ASVS: Application Security Verification Standard Configurations for production should be hardened to protect against common attacks, such as debug consoles, raise the bar for Cross-site Scripting (XSS) and Remote File Inclusion (RFI) attacks, and to eliminate trivial information discovery "vulnerabilities" that are the unwelcome hallmark of many penetration testing reports. (OWASP_ASVS_V_14_3)