com.insecureshop.PrivateActivityhave the following insecure WebView properties enabled:
setAllowUniversalFileAccessFromFileURLsallows any documents opened with the
file://scheme to access the content of any local documents and also of any other document or property accessible using other schemes like
http(s)://. This leads to a violation of the Same Origin Policy and allows an attacker both to steal the user’s data and to interact with any other Internet services on behalf of the Android application.
webview-universal-access.yamlon a decompiled Android app to identify the insecure WebView properties in use.
setAllowUniversalFileAccessFromFileURLswe are able to exfiltrate InsecureShop application's localstorage data to the remote domain.