...
The android.util.Log class allows a number of possibilities:
|
| |
|
|
|
Example:
| Code Block | ||
|---|---|---|
| ||
Log.v("method", Login.TAG + ", account=" + str1);
Log.v("method", Login.TAG + ", password=" + str2);
|
...
I/MyWeatherReport( 6483): Re-use MyWeatherReport data
I/ ( 6483): GET JSON: http://example.com/smart/repo_piece.cgi?arc=0&lat=26.209026&lon=127.650803&rad=50&dir=-999&lim=52&category=1000
If a user is using Android OS 4.0 or before, other applications with READ_LOGS permission can obtain the user's location information without declaring ACCESS_FINE_LOCATION permission in the manifest file.
...
Logging sensitive information can leak sensitive information to malicious apps.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
DRD04-J | Medium | Probable | Medium | P8 | L2 |
Automated Detection
Automatic detection of the use of logging facilities trivial. It is not feasible to automatically determine whether the data being logged is sensitive.
Tool | Version | Checker | Description |
|---|
Related Vulnerabilities
- Facebook SDK for Android: http://readwrite.com/2012/04/10/what-developers-and-users-can#awesm=~o9iqZAMlUPshPu
- JVN#23328321 Puella Magi Madoka Magica iP for Android vulnerable to information disclosure
- JVN#86040029 Weathernews Touch for Android stores location information in the system log file
- JVN#33159152 Loctouch for Android information management vulnerability
- JVN#56923652 Monaca Debugger for Android information management vulnerability
Related Guidelines
4.8 Outputing log to LogCat |
Bibliography
4.8 Outputing log to LogCat |
...
...