File access in an Android WebView can expose the device's file system to the JavaScript running in the WebView. If there are vulnerabilities in the JavaScript or untrusted content is loaded in the WebView, file access may allow an attacker to access or steal the user's data.

When possible, you should not allow file access. The file access settings are disabled by default. You can explicitly disbale them by setting the following settings to false:

setAllowFileAccess
setAllowFileAccessFromFileURLs
setAllowUniversalAccessFromFileURLs

In the following (bad) example, the WebView is configured with the settings which would allow local file access.

In the following (good) example, the WebView is configured to disallow file access.

Android documentation: WebSettings.setAllowFileAccess.

Android documentation: WebSettings.setAllowFileAccessFromFileURLs.

Android documentation: WebSettings.setAllowUniversalAccessFromFileURLs.