WebView.setWebContentsDebuggingEnabled(true) found in release build — Zoom Meeting SDK Android 6.3.10

Meeting SDK Android
,
1

Description

Hi everyone,

I am using Zoom Meeting SDK for Android, version 6.3.10 (build 27979) in my app. During a routine security audit, our security team decompiled our release APK and found that WebView.setWebContentsDebuggingEnabled(true) is being called from Zoom’s internal SDK code.

Specifically, it was found in these locations:

  • com.zipow.videobox.ptapp.PTUI.doModulesInitAfterLogin()

  • com.zipow.videobox.ZoomApplication.onCreate()

Our app’s own release build has debuggable false set, and we do not call setWebContentsDebuggingEnabled anywhere in our code. This is coming entirely from the Zoom SDK.

As per Android security best practices and OWASP MASTG guidelines, setWebContentsDebuggingEnabled(true) should not be enabled in production/release builds since it allows remote inspection of WebView content through Chrome DevTools.

My questions:

  1. Is this a known issue? Is anyone else facing this?

  2. Is there a plan to fix this in an upcoming SDK version?

  3. Is there any workaround or configuration on our side to disable this?

Which Android Meeting SDK version?
6.3.10

To Reproduce(If applicable)
Steps to reproduce the behavior:
Decompile the apk ( i used jadx ) , and search for WebView.setWebContentsDebuggingEnabled(true) ,

Screenshots

image
image2506×278 82.1 KB

Smartphone (please complete the following information):

  • Device: [Samsung SM-E146B]
  • OS: [e.g. Android 14]
2

Hi @Kumar4 ,

Thank you for reaching our to us regarding this question. The logic in SDK for 6.3.10 doModulesInitAfterLogin() is not accessible for SDK, so this issue in itself does not pose a security problem for the APK.

If your security team still has the concern, you can call setWebContentsDebuggingEnabled(false) in the onZoomSDKInitializeResult (ref doc: Link)and onZoomSDKLoginResult(ref doc: Link) callbacks as a workaround. We will address the issue in the next SDK release.

Thanks!