WebViews can be dangerous – especially misconfigured WebViews. Let’s take two case studies – an Android email application and an advertising SDK, to explore the ramifications of using insecure WebViews. From these case studies, we’ll see that misconfigured WebViews can have serious implications. In particular, we’ll see that a misconfigured email application allowed remote users to steal files from a user’s Android device and we’ll see how an otherwise normal advertising SDK allowed advertisers to track users and read files from a user’s external storage.