Webview Remote Debugging Enabled

Webview Remote Debugging Enabled

Risk: medium

Description

Webview exposes remote debugging using the setWebContentsDebuggingEnabled API. The API was introduced in API 19.

Webview debugging uses the Chrome Debug Protocol and is exposed using an abstract named unix socket. The socket is either name webview_devtools_remote or webview_devtools_remote_<pid>.

To confirm that socket is exposed on your device, you may use the netstat -untapexW command and search for your target application or the @ sign, used to denote abstract sockets.

Abstract sockets do not use file system permissions to enforce access and are therefore accessible to all applications on the device.

To demonstrate access to the socket, you may use the socat binary to expose the abstract socket:

./socat TCP-LISTEN:9999,fork ABSTRACT:webview_devtools_remote_3483

The 9999 port can either be accessed locally or for testing purposes, be forwarded using adb:

adb forward tcp:9999 tcp:9999

To access the remote protocol, use the Chrome Debug Protocol client, like pychrome:

Python

import pychrome

# connect to webview on the exposed port.
browser = pychrome.Browser(url="http://127.0.0.1:9999")
t = browser.list_tab()[0]
t.start()
t.DOM.enable()

# Access document.
t.DOM.getDocument()

Recommendation

Set setWebContentsDebuggingEnabled to false or only set it to true if the app is in debug mode.

Example:

Java

    if (0 != (getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE)) {
    WebView.setWebContentsDebuggingEnabled(true);
  }

Links

• setWebContentsDebuggingEnabled Android Documentation

Standards

• OWASP_MASVS_L1:
  • MSTG_CODE_2
  • MSTG_CODE_4
• OWASP_MASVS_L2:
  • MSTG_CODE_2
  • MSTG_CODE_4
• PCI_STANDARDS:
  • REQ_1_2
  • REQ_2_2
  • REQ_6_2
  • REQ_6_3
  • REQ_11_3
• OWASP_MASVS_v2_1:
  • MASVS_PLATFORM_2
  • MASVS_RESILIENCE_3