The WebView.setWebContentsDebuggingEnabled method enables or disables the contents of any WebView in the application to be debugged.

Enabling debugging features could allow for additional entry points or leaking sensitive information. As such, debugging should only be enabled during development, and disabled in production builds.

Ensure that debugging features are not enabled in production builds. If WebView.setWebContentsDebuggingEnabled(true) is used, ensure that it is guarded by a flag indicating that this is a debug build.

In the code below, the BAD case shows WebView debugging always being enabled, whereas the GOOD case only enables it if the android:debuggable attribute is set to true.

Android Developers: setWebContentsDebuggingEnabled.

Android Developers: Remote debugging WebViews.