Android

Space shortcuts

Page tree

Versions Compared

Old Version 6

changes.mady.by.user Unknown User (lflynn)

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The android.util.Log class allows a number of possibilities:

Log.d (Debug)

Log.e (Error)

Log.i (Info)

Log.v (Verbose)

Log.w (Warn)

Example:

Code Block
langjava
Log.v("method", Login.TAG + ", account=" + str1);
Log.v("method", Login.TAG + ", password=" + str2);

...

Noncompliant Code Example

Here is another example. Weathernews Touch A weather report for Android sent a user's location data to the log output as follows:

I/MySoraPieceMyWeatherReport( 6483): Re-use MySoraPiece MyWeatherReport data
I/ ( 6483): GET JSON:

...

 http://

...

example.

...

com/smart/repo_piece.cgi?arc=0&lat=26.209026&lon=127.650803&rad=50&dir=-999&lim=52&category=1000

 

If a user is using Android OS 4.0 or before, other applications with READ_LOGS permission can obtain the user's location information without declaring ACCESS_FINE_LOCATION permission in the manifest file.

...

Proof of Concept

Example code of obtaining log output correctly from a vulnerable application is as follows:

Code Block
bgColor#ccccff
langjava
final StringBuilder slog = new StringBuilder();

try {
  Process mLogcatProc;
  mLogcatProc = Runtime.getRuntime().exec(new String[]
      {"logcat", "-d", "LoginAsyncTask:I APIClient:I method:V *:S" });

  BufferedReader reader = new BufferedReader(new InputStreamReader(
      mLogcatProc.getInputStream()));

  String line;
  String separator = System.getProperty("line.separator");

  while ((line = reader.readLine()) != null) {
    slog.append(line);
    slog.append(separator);
  }
  Toast.makeText(this, "Obtained log information", Toast.LENGTH_SHORT).show();

} catch (IOException e) {
  // handle error
}

TextView tView = (TextView) findViewById(R.id.logView);
tView.setText(slog);

...

This rule is a special case of IDS03FIO13-J. Do not log unsanitized user inputsensitive information outside a trust boundary.

Risk Assessment

Logging sensitive information can leak sensitive information to malicious apps.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

DRD03

DRD04-J

high

Medium

probable

Probable

medium

Medium

P12

P8

L1

L2

Automated Detection

Automatic detection of the use of logging facilities trivial. It is not feasible to automatically determine whether the data being logged is sensitive.

Tool

Version

Checker

Description

Related Vulnerabilities

Related Guidelines

Android Secure Design / Secure Coding Guidebook by JSSEC

4.8

Output

Outputing log to LogCat

Bibliography

Android Secure Coding Guidebook by JSSEC

[JSSEC 2014]

 4.8

Output

Outputing log to LogCat


...

Image Added Image Added Image Added