Allowing file access in an Android WebView can expose a device's file system to the JavaScript running in that WebView. If the JavaScript contains vulnerabilities or the WebView loads untrusted content, file access allows an attacker to steal the user's data.

When possible, do not allow file access. The file access settings are disabled by default. You can explicitly disable file access by setting the following settings to false:

setAllowFileAccess
setAllowFileAccessFromFileURLs
setAllowUniversalAccessFromFileURLs

If your application requires access to the file system, it is best to avoid using file:// URLs. Instead, use an alternative that loads files via HTTPS, such as androidx.webkit.WebViewAssetLoader.

In the following (bad) example, the WebView is configured with settings that allow local file access.

In the following (good) example, the WebView is configured to disallow file access.

As mentioned previously, asset loaders can load files without file system access. In the following (good) example, an asset loader is configured to load assets over HTTPS.

Android documentation: WebSettings.setAllowFileAccess.

Android documentation: WebSettings.setAllowFileAccessFromFileURLs.

Android documentation: WebSettings.setAllowUniversalAccessFromFileURLs.

Android documentation: WebViewAssetLoader.