Skip to content

MASTG-DEMO-0006: Tracing Common Logging APIs Looking for Secrets

Download MASTG-DEMO-0006 APK Open MASTG-DEMO-0006 Folder Build MASTG-DEMO-0006 APK

Sample

The snippet contains many calls to logging APIs which are used to print out secrets such as passwords or IVs.

MastgTest.kt
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
package org.owasp.mastestapp

import android.content.Context
import android.util.Log
import java.util.logging.Logger

class MastgTest (private val context: Context){

    fun mastgTest(): String {
        val variable = "MAS-Sensitive-Value"
        val password = "MAS-Sensitive-Password"
        val secret_key = "MAS-Sensitive-Key"
        val IV = "MAS-Sensitive-Value-IV"
        val iv = "MAS-Sensitive-Value-IV-2"

        Log.v("MASTG", "key: $variable")
        Log.i("MASTG", "key: $password")
        Log.w("MASTG", "test: $IV")
        Log.d("MASTG", "test: $iv")
        Log.e("MASTG", "test: $variable")
        Log.wtf("MASTG", "test: $variable")

        val x = Logger.getLogger("myLogger")
        x.severe(secret_key)

        return "Done"
    }

}

Steps

Execute frida-trace against the sample app, tracing logging classes and methods.

run.sh
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
#!/bin/bash

# SUMMARY: This script uses frida-trace to trace logging statements in the specified Android app
# and filters the output to exclude certain log methods.
# The raw output is saved to "output_raw.txt" and then filtered to remove unwanted log entries.
# The final result saved to "output.txt".

frida-trace \
    -U \
    -f org.owasp.mastestapp \
    --runtime=v8 \
    -j 'android.util.Log!*' \
    -j 'java.util.logging.Logger!severe' \
    -o output_raw.txt \
    && cat output_raw.txt | grep -E "(Log|Logger)" | grep -vE "Log\.println|Log\.isLoggable" > output.txt

Observation

frida-trace has identified several instances where log output has been printed.

output.txt
1
2
3
4
5
6
7
8
Log.v("MASTG", "key: MAS-Sensitive-Value")
Log.i("MASTG", "key: MAS-Sensitive-Password")
Log.w("MASTG", "test: MAS-Sensitive-Value-IV")
Log.d("MASTG", "test: MAS-Sensitive-Value-IV-2")
Log.e("MASTG", "test: MAS-Sensitive-Value")
Log.wtf("MASTG", "test: MAS-Sensitive-Value")
Log.wtf(0, "MASTG", "test: MAS-Sensitive-Value", null, false, false)
Logger.severe("MAS-Sensitive-Key")

As a reference, this is the corresponding logcat output obtained from Android Studio.

logcat_output.txt
1
2
3
4
5
6
7
2024-05-14 10:30:06.864  6966-6966  MASTG                   org.owasp.mastestapp                 V  key: MAS-Sensitive-Value
2024-05-14 10:30:06.866  6966-6966  MASTG                   org.owasp.mastestapp                 I  key: MAS-Sensitive-Password
2024-05-14 10:30:06.867  6966-6966  MASTG                   org.owasp.mastestapp                 W  test: MAS-Sensitive-Value-IV
2024-05-14 10:30:06.867  6966-6966  MASTG                   org.owasp.mastestapp                 D  test: MAS-Sensitive-Value-IV-2
2024-05-14 10:30:06.867  6966-6966  MASTG                   org.owasp.mastestapp                 E  test: MAS-Sensitive-Value
2024-05-14 10:30:06.869  6966-6966  MASTG                   org.owasp.mastestapp                 E  test: MAS-Sensitive-Value
2024-05-14 10:30:06.881  6966-6966  myLogger                org.owasp.mastestapp                 E  MAS-Sensitive-Key

Evaluation

Review each of the reported instances by using keywords and known secrets (e.g. passwords or usernames or values you keyed into the app).

Note: You could refine the test to input a known secret and then search for it in the logs.