Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarQube for IDE
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarQube Cloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube Server

Java static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your JAVA code

Filtered: 20 rules found

android

Impact

Clean code attribute

Enabling file access for WebViews is security-sensitive

consistency - conventional

security

Security Hotspot

Granting file access to WebViews, particularly through the file:// scheme, introduces a risk of local file inclusion vulnerabilities. The severity of this risk depends heavily on the specific settings configured for the WebView. Overly permissive settings can allow malicious scripts to access a wide range of local files, potentially exposing sensitive data such as Personally Identifiable Information (PII) or private application data, leading to data breaches and other security compromises.

Ask Yourself Whether

You open files that may be created or altered by external sources.
You open arbitrary URLs from external sources.

There is a risk if you answered yes to any of these questions.

Recommended Secure Coding Practices

Avoid opening file:// URLs from external sources in WebView components. If your application accepts arbitrary URLs from external sources, do not enable this functionality.

On Android, it is recommended to use androidx.webkit.WebViewAssetLoader to access files, including assets and resources, via a custom, controllable scheme.

On iOS, it is recommended to use Bundles to access local files, keeping access limited a controlled subset using the allowingReadAccessTo parameter of the loadFileURL method. If allowFileAccessFromFileURLs and allowUniversalAccessFromFileURLs are not enabled, it is not possible to access files outside the intended directory. It is also possible to create a custom scheme to access local files, but this is more complex and might lead to unintended security issues.

For enhanced security, ensure that the options to load file:// URLs are explicitly set to false.

Sensitive Code Example

import android.webkit.WebView;

WebView webView = (WebView) findViewById(R.id.webview);
webView.getSettings().setAllowFileAccess(true); // Sensitive
webView.getSettings().setAllowContentAccess(true); // Sensitive

Compliant Solution

import android.webkit.WebView;

WebView webView = (WebView) findViewById(R.id.webview);
webView.getSettings().setAllowFileAccess(false);
webView.getSettings().setAllowContentAccess(false);

See

OWASP - Top 10 2021 Category A1 - Broken Access Control
OWASP - Top 10 2017 Category A3 - Sensitive Data Exposure
OWASP - Top 10 2017 Category A6 - Security Misconfiguration
OWASP - Mobile Top 10 2024 Category M8 - Security Misconfiguration
OWASP - Mobile AppSec Verification Standard - Platform Interaction Requirements
CWE - CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Android Documentation - WebViews - Unsafe File Inclusion

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

Available Since
9.2

Analyze code in your
on-premise CI

Developer Edition
Available Since
9.2

In-IDE

SaaS

Self-Hosted