WebView Debugging Enabled

Description

Enabling setWebContentsDebuggingEnabled(true) in production allows any attached debugger (e.g., Chrome DevTools) to inspect and manipulate WebView contents, cookies, and local storage.

Examples

Detect Debugging

rg -n "setWebContentsDebuggingEnabled\(true\)" src out

Inspect via Chrome

Open chrome://inspect and attach to the app’s WebView. If you can read/modify content, debugging is enabled.

Remediation

Disable in release
- Guard WebView debugging behind build flags; ensure release builds set it to false.
Content hardening
- Limit sensitive content in WebViews; use secure cookie flags and storage.
CI enforcement
- Add static checks to fail builds that enable debugging in release.

Haxoris Wiki

WebView Debugging Enabled

Description

Examples

Detect Debugging

Inspect via Chrome

Remediation