fix(Web3TokenView): only enable WebView contents debugging in debug builds (refs #2323)#3439
fix(Web3TokenView): only enable WebView contents debugging in debug builds (refs #2323)#3439jim-daf wants to merge 1 commit into
Conversation
…uilds (AlphaWallet#2323) Refs AlphaWallet#2323 Web3TokenView.init() unconditionally calls `WebView.setWebContentsDebuggingEnabled(true)`, which leaves the in-app WebView attachable from `chrome://inspect` on any device with USB debugging enabled — including release builds installed on end-user devices. Because Web3TokenView is the surface that runs TokenScript / dapp JavaScript inside a *wallet* application, that is a CWE-489 exposure of session content for a process that signs transactions. Gate the call behind `BuildConfig.DEBUG` so contents debugging is only available in developer builds. This matches the practice used by MetaMask, Trust Wallet, and other audited Android wallet apps. This change does *not* address the larger refactor requested in AlphaWallet#2323 (replacing the legacy provider with a MetaMask-style one); that work is left tracked by the issue.
jim-daf
changed the title
jim-daf
force-pushed
the
fix/security-issue-2323
branch
from
893083a to
dcbabab
Compare
There was a problem hiding this comment.
Pull request overview
Restricts Android WebView contents debugging to debug builds for Web3TokenView, reducing exposure of TokenScript/dapp runtime state in production.
Changes:
- Gate
WebView.setWebContentsDebuggingEnabled(...)behindBuildConfig.DEBUG. - Add an inline security rationale comment referencing CWE-489 and the impact on wallet WebView state.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| // CWE-489: Web3TokenView holds session JS for a wallet that signs | ||
| // transactions. Leaving WebView contents debuggable in release builds | ||
| // lets anyone with USB access attach chrome://inspect and read the | ||
| // page's DOM/JS. Restrict to debug builds only. | ||
| WebView.setWebContentsDebuggingEnabled(BuildConfig.DEBUG); |
There was a problem hiding this comment.
WebView.setWebContentsDebuggingEnabled(...) is process-wide. Even though this call is now gated by BuildConfig.DEBUG, there is still an unconditional WebView.setWebContentsDebuggingEnabled(true) in app/src/main/java/com/alphawallet/app/web3/Web3View.java (around line 190) which is used by production layouts (e.g. fragment_webview.xml). That means release builds can still end up with WebView debugging enabled, defeating the security goal described in the comment. Consider gating/removing the other call sites as well (or centralizing this setting so it can’t be re-enabled in release).
Restrict
WebContentsDebuggingEnabledto debug builds (refs #2323)What this PR does is fix the most concrete security smell that exists
in the same file the original draft was touching.
The concrete problem
app/src/main/java/com/alphawallet/app/web3/Web3TokenView.java:is called unconditionally inside
init(). That setting is process-wideon Android and remains active in release builds. Combined with the fact
that
Web3TokenViewis the WebView that runs TokenScript / dappJavaScript inside a wallet, i.e. a process that signs transactions
and holds key material in memory, it lets anyone with USB access on a
production device attach
chrome://inspectand read the page's DOM andJS state. CWE-489 (Active Debug Code).
MetaMask, Trust Wallet, and every other audited Android wallet gate
this call behind
BuildConfig.DEBUG.The fix
BuildConfigis already imported in the file, so this is a one-linebehavioral change. No other functionality is altered.