[Bug]: Remote Webview debugging is enabled.

[rakeshv1108]

What happened?

How can this Webview debugging mode be turned off?

I've included my release apk build in the Mobsf testing procedure to look for security flaws. Additionally, I received one serious problem from the Mobsf report for your package library. The screenshot for that report is attached. Please take action to fix the security problem.

Thank you.

Steps to reproduce?

1. Create release android build apk.
2. Set up the Mobsf security checkup tool.
3. Analyse that same apk through that Mobsf tool.

What did you expect to happen?

I want to disable or remove that debugging line from the npm package code.

React Native OneSignal SDK version

Release 4.5.0

Which platform(s) are affected?

• iOS
• Android

Relevant log output

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[mlblount45]

Has this issue been added to the project road map? any approximation date on when this will be addressed?

[samu-gataca]

Any new about this?

[emawby]

I apologize we do not have news yet, but we appreciate the bump! We will investigate

[maxi-sante]

Any new?

[Redn4s]

A pentest of our app revealed that Remote WebView debugging is activated. This was specifically found in OneSignal: com/onesignal/WebViewManager.java. We're use v4.5.1 of react-native-onesignal.

Any news about the issue yet?

[tair-rhyme]

seems like that is false positive, because of this, if you do not set logLevel to debug and higher it should be OK

[manish-chimera]

I am having similar issue with Onesignal Android SDK with version 5.1.7. how can we disable Remote WEBview debugging?

[nan-li]

Hi, thanks for reaching out,
Regarding Remote WebView Debugging was Enabled
OneSignal's default logging level is warning. Make sure you don't set OneSignal.Debug.setLogLevel(OSLogLevel.debug) or verbose in your production app to avoid this from being activated.

[Monfallet]

@nan-li I have set this variable as you mentioned, but the issue persists. Another thing, during a scan I conducted on my APK, I found several paths or files containing the word "debug". Could you please help me clarify these points?

[nan-li]

Hi @Monfallet, a static analysis will pick up the existence of code, not whether the code is activated.

The remote webview will only be set up if you use levels DEBUG or higher (so DEBUG or VERBOSE).

I found several paths or files containing the word "debug"
There is a debug package and some classes to help with logging. Again, DEBUG-level and VERBOSE-level logs will only log if you have set the log level to VERBOSE or DEBUG. See this.