Security Issue: WebView Allows Access to Local Files in NavigateTolinkActivity #39
Description
Description:
During our regular Android app security scanning, the NowSecure tool has reported a security vulnerability in the Apptentive Android SDK. The issue relates to a WebView configuration that allows access to local files, which could potentially be exploited by attackers to execute malicious code or access sensitive local resources.
Steps to Reproduce:
NowSecure’s static analysis detected that a WebView in NavigateTolinkActivity.kt has file access enabled. The detection considers the app’s minSdkVersion, which affects the default WebView behavior as follows:
setAllowFileAccess is true by default when minSdkVersion <= 29
setAllowFileAccessFromFileURLs is true by default when minSdkVersion <= 15
setAllowUniversalAccessFromFileURLs is true by default when minSdkVersion <= 15
The identified WebView meets the following conditions:
- setAllowFileAccess(true) is explicitly enabled.
- JavaScript is enabled using setJavaScriptEnabled(true).
Evidence
{
"local_resource_access_method": "setAllowFileAccess",
"default_used": "Yes",
"value": true,
"source_file": "apptentive/com/android/feedback/link/view/NavigateTolinkActivity.kt",
"package_name": "apptentive.com.android.feedback.link.view",
"class_name": "NavigateTolinkActivity",
"method": "onCreate",
"kind": "fail",
}