File access in an Android WebView can expose the device's file system to the JavaScript running in the WebView. If there are vulnerabilities in the JavaScript, file access may allow an attacker to access or steal the user's data.

When possible, you should disallow file access by setting the following settings to false:

setAllowFileAccess
setAllowFileAccessFromFileURLs
setAllowUniversalAccessFromFileURLs

In the following (bad) example, the WebView is configured with the settings which would allow local file access.

In the following (good) example, the WebView is configured to disallow file access.

Android documentation: WebSettings.setAllowFileAccess.

Android documentation: WebSettings.setAllowFileAccessFromFileURLs.

Android documentation: WebSettings.setAllowUniversalAccessFromFileURLs.

File access from URLs is enabled for WebView: File access for URLs is enabled for WebView.

File access is enabled for WebView: File access is enabled for WebView.

Universal file access from file URLs is enabled for WebView: Universal file access from file URLs is enabled for WebView.