Skip to content
Last updated: July 10, 2024

MASTG-DEMO-0006: Tracing Common Logging APIs Looking for Secrets

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Sample

The snippet contains many calls to logging APIs which are used to print out secrets such as passwords or IVs.

MastgTest.kt
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
package org.owasp.mastestapp

import android.content.Context
import android.util.Log
import java.util.logging.Logger

class MastgTest (private val context: Context){

    fun mastgTest(): String {
        val variable = "MAS-Sensitive-Value"
        val password = "MAS-Sensitive-Password"
        val secret_key = "MAS-Sensitive-Key"
        val IV = "MAS-Sensitive-Value-IV"
        val iv = "MAS-Sensitive-Value-IV-2"

        Log.v("MASTG", "key: $variable")
        Log.i("MASTG", "key: $password")
        Log.w("MASTG", "test: $IV")
        Log.d("MASTG", "test: $iv")
        Log.e("MASTG", "test: $variable")
        Log.wtf("MASTG", "test: $variable")

        val x = Logger.getLogger("myLogger")
        x.severe(secret_key)

        return "Done"
    }

}

Steps

Execute frida-trace against the sample app, tracing logging classes and methods.

run.sh
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
#!/bin/bash

# SUMMARY: This script uses frida-trace to trace logging statements in the specified Android app
# and filters the output to exclude certain log methods.
# The raw output is saved to "output_raw.txt" and then filtered to remove unwanted log entries.
# The final result saved to "output.txt".

frida-trace \
    -U \
    -f org.owasp.mastestapp \
    --runtime=v8 \
    -j 'android.util.Log!*' \
    -j 'java.util.logging.Logger!severe' \
    -o output_raw.txt \
    && cat output_raw.txt | grep -E "(Log|Logger)" | grep -vE "Log\.println|Log\.isLoggable" > output.txt

Observation

frida-trace has identified several instances where log output has been printed.

output.txt
1
2
3
4
5
6
7
8
Log.v("MASTG", "key: MAS-Sensitive-Value")
Log.i("MASTG", "key: MAS-Sensitive-Password")
Log.w("MASTG", "test: MAS-Sensitive-Value-IV")
Log.d("MASTG", "test: MAS-Sensitive-Value-IV-2")
Log.e("MASTG", "test: MAS-Sensitive-Value")
Log.wtf("MASTG", "test: MAS-Sensitive-Value")
Log.wtf(0, "MASTG", "test: MAS-Sensitive-Value", null, false, false)
Logger.severe("MAS-Sensitive-Key")

As a reference, this is the corresponding logcat output obtained from Android Studio.

logcat_output.txt
1
2
3
4
5
6
7
2024-05-14 10:30:06.864  6966-6966  MASTG                   org.owasp.mastestapp                 V  key: MAS-Sensitive-Value
2024-05-14 10:30:06.866  6966-6966  MASTG                   org.owasp.mastestapp                 I  key: MAS-Sensitive-Password
2024-05-14 10:30:06.867  6966-6966  MASTG                   org.owasp.mastestapp                 W  test: MAS-Sensitive-Value-IV
2024-05-14 10:30:06.867  6966-6966  MASTG                   org.owasp.mastestapp                 D  test: MAS-Sensitive-Value-IV-2
2024-05-14 10:30:06.867  6966-6966  MASTG                   org.owasp.mastestapp                 E  test: MAS-Sensitive-Value
2024-05-14 10:30:06.869  6966-6966  MASTG                   org.owasp.mastestapp                 E  test: MAS-Sensitive-Value
2024-05-14 10:30:06.881  6966-6966  myLogger                org.owasp.mastestapp                 E  MAS-Sensitive-Key

Evaluation

Review each of the reported instances by using keywords and known secrets (e.g. passwords or usernames or values you keyed into the app).

Note: You could refine the test to input a known secret and then search for it in the logs.