Skip to main content

Insecure Configuration

Why is this important?

Android mostly adheres to secure defaults, but there are ways to introduce configuration issues.

Check out this video for a high-level explanation:

Security Misconfiguration

Fixing Insecure Configuration

Option A: Disable Remote WebView debugging

By enabling remote WebView debugging, web contents (HTML/CSS/JavaScript) that are loaded into any WebViews can allow attackers to steal or corrupt data.

  1. Go through the issues that GuardRails identified in the PR.

  2. Remove the code that has this pattern:

    WebView.setWebContentsDebuggingEnabled(true);
  3. Or make sure this code is not used in production

  4. Test it

  5. Ship it 🚢 and relax 🌴

More information: