fix(Web3TokenView): only enable WebView contents debugging in debug builds (#2323)

Refs #2323

Web3TokenView.init() unconditionally calls
`WebView.setWebContentsDebuggingEnabled(true)`, which leaves the in-app
WebView attachable from `chrome://inspect` on any device with USB
debugging enabled — including release builds installed on end-user
devices. Because Web3TokenView is the surface that runs TokenScript /
dapp JavaScript inside a *wallet* application, that is a CWE-489
exposure of session content for a process that signs transactions.

Gate the call behind `BuildConfig.DEBUG` so contents debugging is only
available in developer builds. This matches the practice used by
MetaMask, Trust Wallet, and other audited Android wallet apps.

This change does *not* address the larger refactor requested in #2323
(replacing the legacy provider with a MetaMask-style one); that work is
left tracked by the issue.

Author: jim-daf

app/src/main/java/com/alphawallet/app/web3/Web3TokenView.java

@@ -123,7 +123,11 @@ private void init() {
         webSettings.setLoadWithOverviewMode(true);
         webSettings.setUserAgentString(webSettings.getUserAgentString()
                                                + "AlphaWallet(Platform=Android&AppVersion=" + BuildConfig.VERSION_NAME + ")");
-        WebView.setWebContentsDebuggingEnabled(true);
+        // CWE-489: Web3TokenView holds session JS for a wallet that signs
+        // transactions. Leaving WebView contents debuggable in release builds
+        // lets anyone with USB access attach chrome://inspect and read the
+        // page's DOM/JS. Restrict to debug builds only.
+        WebView.setWebContentsDebuggingEnabled(BuildConfig.DEBUG);
 
         if (WebViewFeature.isFeatureSupported(WebViewFeature.ALGORITHMIC_DARKENING))
         {