Debug mode is enabled for WebViews
Closed this issue · 1 comments
MAX SDK Version
11.11.2
Device/Platform Info
Android
Current Behavior
Static analysis found that:
Calling setWebContentsDebuggingEnabled(true) enables a global switch that allows an attached PC to eavesdrop and modify on all communication inside a WebView element. This can be used to modify the behavior of a WebView in an unintended way.
Note that not calling setWebContentsDebuggingEnabled(true) is necessary to prevent debugging, but is not sufficient. It might still be possible for an adversary to connect a debugger and use it to reverse-engineer or tamper with the app’s behaviour.
The issue is at:
com.applovin.impl.adview.d
Line 9 in com/applovin/impl/adview/SourceFile
com.applovin:applovin-sdk
setWebContentsDebuggingEnabled(true)
Can you please verify if this is the case and disable it for production if it's not necessary.
This might cause also higher cpu and memory usage.
Expected Behavior
No response
How to Reproduce
Run an analysis from https://appsweep.guardsquare.com/ for example.
Additional Info
No response
Thanks for reporting this. The code path exists in our SDK, but it does not actually run.