-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disabling WebView remote debugging doesn't work #1732
Comments
Can you provide which |
and my config file:
|
Thanks, the conifg looks fine and the feature was added in v12, so that should be fine as well. Are you using any custom webview plugins, such as the ionic webview? |
These are the plugins I'm using:
|
@breautek I've provided above the plugins I'm using. Thanks! |
Can you run Can you clarify if you're attempting to prevent inspecting the cordova webview, or the in-app browser webview (or both)? Since you've referenced the SystemWebview I've assumed you're only concern about the main cordova webview. For android in-app browser, it doesn't yet respond to the Lastly can you confirm if it works if you use the default option (e.g. do not set
Just in case you aren't aware. Users can still get access to your app code even without the inspector. The web assets is plaintext (as required to be read by the webview) and is extractable from the installable APK or AAB file. In otherwords it's not safe to store "secrets" on the client. This isn't exclusive to Cordova, but for any client-side development, but especially so for scripted environments where the code is interpreted like web environments. This is noted here. |
I am trying to to prevent inspecting the cordova webview. Building the cordova app with --release doesn't work either (This is what I've initially tried ). In my current builds i'm setting both the --release and the config.xml param mentioned above.
Well I was hoping to lock at least the medium knowledgeable users from getting access to the app code by disabling the remote debug. No secrets are stored in the cordova app code. I am aware that any client app can have its code exposed. If I won't be able to find a solution, I can live with how it is too. |
if the preference is set at all, it will override the default behaviour, which is to enable on debug. If the preference is set, then it should only enable debugging if it's specifically So that might actually explain some situations because Cordova never explicitly sets the flag to false, but this should only affect debug builds that explicitly disable A release build that uses a SDK default should produce a webview that isn't inspectable. For that case, is that something reproducible in a sample reproduction app? |
An update, I just tested with my own apps so that I can build a release variant... and I've modified the framework code to easily test different scenarios. It seems like For release builds, not setting |
I will see when I will find some free time to prune my app down so that I can share it with you. Thanks for now! |
I am trying to disable WebView remote debugging on my cordova app, by setting in config.xml the entry:
According to the SystemWebViewEngine code, this should have worked, but practically I am still able to remotely debug the cordova app on my phone.
Any idea why is that?
I'm basically trying to lock my app so that users cannot get access to the app code.
What is expected to happen?
Should not be able to remote debug the app when InspectableWebview is set to false
What does actually happen?
I am able to remote debug the app when InspectableWebview is set to false
Environment, Platform, Device
Android on Samsung S7 .
Version information
cordova --version
12.0.0 ([email protected])
The text was updated successfully, but these errors were encountered: