Configuration Management / Webview Remote Debugging Enabled

Description

Webview Remote Debugging Enabled is a type of configuration management vulnerability listed in the CWE directory as CWE-91. It is related to the OWASP Testing Guide as it can be exploited by malicious actors to gain access to sensitive data. This vulnerability is most commonly found in Android and Mobile App systems, where a remote debugging bridge can be enabled in the webview. When this bridge is enabled, it becomes possible for attackers to access the webview JavaScript environment and execute arbitrary code on the device.

Risk

Webview Remote Debugging Enabled is a high risk vulnerability, as it can allow attackers to access sensitive data on the device. This can lead to data leaks, tampering of information, or the execution of arbitrary code. Additionally, the vulnerability can be difficult to detect, as it requires manual testing in order to identify.

Solution

To mitigate the risk of Webview Remote Debugging Enabled, the bridge must be disabled. This can be done using the WebView.setWebContentsDebuggingEnabled(false); method. This should be added to the app's code, and the app should be tested to ensure that the bridge is successfully disabled.

Example

The following code can be used to disable the bridge:

WebView.setWebContentsDebuggingEnabled(false);