MASTG-DEMO-0124: Logging APIs Exposing Implementation Details with r2

Download MASTG-DEMO-0124 IPA Open MASTG-DEMO-0124 Folder Build MASTG-DEMO-0124 IPA

Sample¶

The sample code below demonstrates verbose logging across multiple iOS logging APIs, including NSLog, print, debugPrint, dump, and Apple Unified Logging via Logger, during authentication, networking, storage access, and error-handling. These code paths are designed to produce verbose debug and error output in the compiled binary.

The sample includes logs exposing an internal API endpoint, a username, a mock session token, cached profile usage, error object contents, stack traces, internal module names, authentication flow details, validation logic, and network-related configuration details.

MastgTest.swift
import Foundation
import UIKit
import os.log

// SUMMARY: This sample demonstrates verbose error logging and debugging messages that expose implementation details.

class MastgTest {

    static func mastgTest(completion: @escaping (String) -> Void) {
        // FAIL: [MASTG-TEST-0358] Verbose logging exposes internal API endpoint and request details
        NSLog("[DEBUG] Attempting to connect to API endpoint: https://internal-api.example.com/v2/auth/login")

        let result = performLogin(username: "testuser", password: "testpass")
        completion(result)
    }

    static func performLogin(username: String, password: String) -> String {
        // FAIL: [MASTG-TEST-0358] Debug print exposes function execution flow and internal state
        // FAIL: [MASTG-TEST-0297] Debug print exposes user name
        print("[DEBUG] performLogin() called with username: \(username)")

        // Simulate network request
        let success = validateCredentials(username: username, password: password)

        if success {
            // FAIL: [MASTG-TEST-0358] Verbose success message exposes implementation details
            // FAIL: [MASTG-TEST-0297] Verbose success message exposes authentication token
            debugPrint("✅ [DEBUG] Authentication successful - Session token generated: \(generateMockToken())")
            debugPrint("[DEBUG] User profile loaded from cache, bypassing network call")
            return "Login successful"
        } else {
            // FAIL: [MASTG-TEST-0358] Detailed error logging exposes error handling logic
            NSLog("[ERROR] Authentication failed - Invalid credentials provided")
            NSLog("[DEBUG] Fallback to offline mode initiated")
            NSLog("[DEBUG] Error code: AUTH_001, Module: AuthenticationService.validateCredentials()")
            return "Login failed"
        }
    }

    static func validateCredentials(username: String, password: String) -> Bool {
        // FAIL: [MASTG-TEST-0358] os_log with .debug level exposes validation logic
        if #available(iOS 14.0, *) {
            let logger = Logger(subsystem: "com.example.mastg", category: "Authentication")
            logger.debug("Validating credentials against local database")
            logger.debug("Checking password hash: SHA256 algorithm")
        }

        // Simulate validation
        return username.count > 0 && password.count > 0
    }

    static func generateMockToken() -> String {
        return "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9"
    }

    static func performNetworkRequest() {
        // FAIL: [MASTG-TEST-0358] Verbose logging exposes network configuration
        print("[DEBUG] Network request configuration:")
        print("[DEBUG] - Timeout: 30s")
        print("[DEBUG] - Retry count: 3")
        print("[DEBUG] - SSL pinning: disabled")
        print("[DEBUG] - Certificate validation: relaxed for staging environment")
    }

    static func handleError(_ error: Error) {
        // FAIL: [MASTG-TEST-0358] Dumping error object exposes internal error structure
        dump(error)

        // FAIL: [MASTG-TEST-0358] Verbose error logging with stack trace information
        NSLog("[ERROR] Exception occurred in module: NetworkManager")
        NSLog("[ERROR] Stack trace: \(Thread.callStackSymbols)")
    }

    // PASS: [MASTG-TEST-0358] Properly guarded debug logging (would not appear in release builds if DEBUG flag is set)
    static func properlyGuardedLogging() {
        #if DEBUG
        print("[DEBUG] This message only appears in debug builds")
        NSLog("[DEBUG] Debug configuration active")
        #endif
    }
}

Steps¶

Unzip the app package and locate the main application binary ( Exploring the App Package).
Open the app binary with radare2 (iOS) with the -i option to run the Radare2 script. The script first identifies cross references to the logging API imports, and then disassembles a selection of those call sites to recover the actual log messages. At each call site the message string is loaded into a register by an adrp/add pair right before the bl to the logging API, and Radare2 resolves that pointer and annotates it with the literal string, so you can read exactly what is logged.

verbose_logging.r2
e scr.color=0
e scr.interactive=false
e bin.relocs.apply=true
e bin.cache=true
e search.in=io.maps.x
e asm.bytes=true
e asm.var=false

?e === Analyzing iOS Binary for Verbose Logging ===
?e

?e [*] Cross references to logging related imports
axt @@ sym.imp.*~NSLog
axt @@ sym.imp.*~print
axt @@ sym.imp.*~debugPrint
axt @@ sym.imp.*~dump
axt @@ sym.imp.*~os_log
axt @@ sym.imp.*~Logger
axt @@ sym.imp.*~_os_log_impl
axt @@ sym.imp.*~os_log_type_enabled
?e

# The xrefs above only prove the logging APIs are referenced. To show WHAT is
# actually logged, disassemble each full call site from the string load up to
# the logging call. The message is loaded into a register with an `adrp`/`add`
# pair, r2 resolves that pointer and annotates it with the literal string, and a
# few instructions later that register is passed as an argument to the `bl` into
# the logging API. Reading the snippet top-to-bottom shows the string flowing
# into the log call. The instruction count after each `pd` spans exactly from the
# `adrp` to the `bl`; with `asm.bytes=true` the raw opcode bytes are shown too.
?e [*] Recovered log message contents
?e     (full disassembly from the string load to the logging call)
?e

?e "=== NSLog -> internal API endpoint (mastgTest) ==="
pd 11 @ 0x100006864
?e

?e "=== print -> username (performLogin) ==="
pd 21 @ 0x1000048c4
?e

?e "=== debugPrint -> mock session token literal (performLogin) ==="
pd 16 @ 0x10000498c
?e

?e "=== print -> SSL pinning disabled (performNetworkRequest) ==="
pd 13 @ 0x100004d44
?e

?e "=== Logger.debug -> password hashing algorithm (validateCredentials) ==="
pd 7 @ 0x1000047a8
?e

?e "=== NSLog -> error code & internal module (performLogin) ==="
pd 7 @ 0x100004a7c
?e

?e [*] Done

run.sh
#!/bin/bash

# Run radare2 static analysis on the binary
r2 -e bin.relocs.apply=true -q -i verbose_logging.r2 -A MASTestApp > output.txt

Observation¶

The output has two parts. The first lists cross references to multiple logging APIs, and the second shows the disassembly of selected call sites with the recovered log message strings.

output.txt
=== Analyzing iOS Binary for Verbose Logging ===

[*] Cross references to logging related imports
sym.func.100004838 0x100004a5c [CALL:--x] bl sym.imp.Foundation.NSLogCVarArg_...dtF_
sym.func.100004838 0x100004a78 [CALL:--x] bl sym.imp.Foundation.NSLogCVarArg_...dtF_
sym.func.100004838 0x100004a94 [CALL:--x] bl sym.imp.Foundation.NSLogCVarArg_...dtF_
sym.func.100005fb4 0x1000060b0 [CALL:--x] bl sym.imp.Foundation.NSLogCVarArg_...dtF_
sym.func.100005fb4 0x100006190 [CALL:--x] bl sym.imp.Foundation.NSLogCVarArg_...dtF_
sym.func.100005fb4 0x100006260 [CALL:--x] bl sym.imp.Foundation.NSLogCVarArg_...dtF_
sym.func.100005fb4 0x100006514 [CALL:--x] bl sym.imp.Foundation.NSLogCVarArg_...dtF_
sym.func.100005fb4 0x1000065c8 [CALL:--x] bl sym.imp.Foundation.NSLogCVarArg_...dtF_
sym.func.100006840 0x10000688c [CALL:--x] bl sym.imp.Foundation.NSLogCVarArg_...dtF_
sym.func.100004838 0x100004914 [CALL:--x] bl sym.imp.print.separator.terminator.St
sym.func.100004be8 0x100004c78 [CALL:--x] bl sym.imp.print.separator.terminator.St
sym.func.100004be8 0x100004cc8 [CALL:--x] bl sym.imp.print.separator.terminator.St
sym.func.100004be8 0x100004d1c [CALL:--x] bl sym.imp.print.separator.terminator.St
sym.func.100004be8 0x100004d74 [CALL:--x] bl sym.imp.print.separator.terminator.St
sym.func.100004be8 0x100004dcc [CALL:--x] bl sym.imp.print.separator.terminator.St
sym.func.100004be8 0x100004ed8 [CALL:--x] bl sym.imp.print.separator.terminator.St
sym.func.100004be8 0x100004f2c [CALL:--x] bl sym.imp.print.separator.terminator.St
sym.func.100004f50 0x100005324 [CALL:--x] bl sym.imp.print.separator.terminator.St
sym.func.100004f50 0x100005454 [CALL:--x] bl sym.imp.print.separator.terminator.St
sym.func.100004f50 0x100005528 [CALL:--x] bl sym.imp.print.separator.terminator.St
sym.func.100004f50 0x10000560c [CALL:--x] bl sym.imp.print.separator.terminator.St
sym.func.100005678 0x100005814 [CALL:--x] bl sym.imp.print.separator.terminator.St
sym.func.100005678 0x1000058d0 [CALL:--x] bl sym.imp.print.separator.terminator.St
sym.func.100005678 0x100005964 [CALL:--x] bl sym.imp.print.separator.terminator.St
sym.func.100005a98 0x100005e70 [CALL:--x] bl sym.imp.print.separator.terminator.St
sym.func.100005a98 0x100005f2c [CALL:--x] bl sym.imp.print.separator.terminator.St
sym.func.100005a98 0x100005f88 [CALL:--x] bl sym.imp.print.separator.terminator.St
sym.func.100006840 0x100006964 [CALL:--x] bl sym.imp.print.separator.terminator.St
sym.func.100006840 0x100006a0c [CALL:--x] bl sym.imp.print.separator.terminator.St
sym.func.100006840 0x100006afc [CALL:--x] bl sym.imp.print.separator.terminator.St
sym.func.100006840 0x100006b50 [CALL:--x] bl sym.imp.print.separator.terminator.St
sym.func.100004838 0x1000049c8 [CALL:--x] bl sym.imp.debugPrint.separator.terminator.St
sym.func.100004838 0x100004a1c [CALL:--x] bl sym.imp.debugPrint.separator.terminator.St
sym.func.100005fb4 0x100006298 [CALL:--x] bl sym.imp.dump.name.indent__String_...SgS3itlF_
sym.func.10000465c 0x100004708 [CALL:--x] bl sym.imp.os_log_type_t.addressor..debug_...vgZ_
sym.func.10000465c 0x100004774 [CALL:--x] bl sym.imp.os_log_type_t.addressor..debug_...vgZ_
sym.func.100005fb4 0x1000062f4 [CALL:--x] bl sym.imp.os_log_type_t.addressor..error_...vgZ_
sym.func.100005fb4 0x100006394 [CALL:--x] bl sym.imp.os_log_type_t.addressor..fault_...vgZ_
sym.func.10000465c 0x100004754 [CALL:--x] bl sym.imp._os_log_impl
sym.func.10000465c 0x1000047c0 [CALL:--x] bl sym.imp._os_log_impl
sym.func.100005fb4 0x10000635c [CALL:--x] bl sym.imp._os_log_impl
sym.func.100005fb4 0x1000064a0 [CALL:--x] bl sym.imp._os_log_impl
sym.func.10000465c 0x100004718 [CALL:--x] bl sym.imp.os_log_type_enabled
sym.func.10000465c 0x100004784 [CALL:--x] bl sym.imp.os_log_type_enabled
sym.func.100005fb4 0x100006304 [CALL:--x] bl sym.imp.os_log_type_enabled
sym.func.100005fb4 0x1000063a8 [CALL:--x] bl sym.imp.os_log_type_enabled
sym.func.10000465c 0x100004700 [CALL:--x] bl sym.imp.os.Logger.logObject.OS_._...C0Cvg
sym.func.10000465c 0x10000476c [CALL:--x] bl sym.imp.os.Logger.logObject.OS_._...C0Cvg
sym.func.100005fb4 0x1000062ec [CALL:--x] bl sym.imp.os.Logger.logObject.OS_._...C0Cvg
sym.func.100005fb4 0x10000638c [CALL:--x] bl sym.imp.os.Logger.logObject.OS_._...C0Cvg
sym.func.10000465c 0x1000046fc [CALL:--x] bl sym.imp.os.Logger.subsystem.category__String_...tcfC_
sym.func.100005fb4 0x1000062dc [CALL:--x] bl sym.imp.os.Logger.subsystem.category__String_...tcfC_
sym.func.10000465c 0x10000468c [CALL:--x] bl sym.imp.os.Logger...VMa
sym.func.100005fb4 0x100005fe4 [CALL:--x] bl sym.imp.os.Logger...VMa
sym.func.10000994c 0x100009964 [CALL:--x] bl sym.imp.os.Logger...VMa
sym.func.1000099fc 0x100009a14 [CALL:--x] bl sym.imp.os.Logger...VMa
sym.func.10000465c 0x100004754 [CALL:--x] bl sym.imp._os_log_impl
sym.func.10000465c 0x1000047c0 [CALL:--x] bl sym.imp._os_log_impl
sym.func.100005fb4 0x10000635c [CALL:--x] bl sym.imp._os_log_impl
sym.func.100005fb4 0x1000064a0 [CALL:--x] bl sym.imp._os_log_impl
sym.func.10000465c 0x100004718 [CALL:--x] bl sym.imp.os_log_type_enabled
sym.func.10000465c 0x100004784 [CALL:--x] bl sym.imp.os_log_type_enabled
sym.func.100005fb4 0x100006304 [CALL:--x] bl sym.imp.os_log_type_enabled
sym.func.100005fb4 0x1000063a8 [CALL:--x] bl sym.imp.os_log_type_enabled

[*] Recovered log message contents
(full disassembly from the string load to the logging call)

=== NSLog -> internal API endpoint (mastgTest) ===
│           0x100006864      280000b0       adrp x8, sym.imp.append_...ySSF_ ; 0x10000b000
│           0x100006868      08012a91       add x8, x8, 0xa80          ; 0x10000ba80 ; "[DEBUG] Attempting to connect to API endpoint: https://internal-api.example.com/v2/auth/login"
│           0x10000686c      088100d1       sub x8, x8, 0x20
│           0x100006870      09098052       mov w9, 0x48               ; 'H'
│           0x100006874      bc0280d2       mov x28, 0x15
│           0x100006878      1c00faf2       movk x28, 0xd000, lsl 48
│           0x10000687c      620000d0       adrp x2, segment.__DATA_CONST ; 0x100014000
│           0x100006880      423043f9       ldr x2, [x2, 0x660]        ; [0x100014660:8]=0
│                                                                      ; reloc._swiftEmptyArrayStorage
│           0x100006884      800309aa       orr x0, x28, x9
│           0x100006888      010141b2       orr x1, x8, 0x8000000000000000
│           0x10000688c      1d110094       bl sym.imp.Foundation.NSLogCVarArg_...dtF_ ; Foundation.NSLogCVarArg(...dtF)

=== print -> username (performLogin) ===
│           0x1000048c4      48000090       adrp x8, 0x10000c000
│           0x1000048c8      08810891       add x8, x8, 0x220          ; 0x10000c220 ; "[DEBUG] performLogin() called with username:"
│           0x1000048cc      088100d1       sub x8, x8, 0x20
│           0x1000048d0      080141b2       orr x8, x8, 0x8000000000000000
│           0x1000048d4      69760091       add x9, x19, 0x1d
│           0x1000048d8      e92301a9       stp x9, x8, [var_10h]
│           0x1000048dc      f4430091       add x20, sp, 0x10
│           0x1000048e0      e00319aa       mov x0, x25
│           0x1000048e4      e10318aa       mov x1, x24
│           0x1000048e8      c6190094       bl sym.imp.append_...ySSF_ ; append(...ySSF)
│           0x1000048ec      e82741a9       ldp x8, x9, [var_10h]
│           0x1000048f0      9b000090       adrp x27, segment.__DATA_CONST ; 0x100014000
│           0x1000048f4      7b9742f9       ldr x27, [x27, 0x528]      ; [0x100014528:8]=0
│                                                                      ; reloc....SSN
│           0x1000048f8      5b1f00f9       str x27, [x26, 0x38]
│           0x1000048fc      482702a9       stp x8, x9, [x26, 0x20]
│           0x100004900      e0031aaa       mov x0, x26
│           0x100004904      01048052       mov w1, 0x20
│           0x100004908      0220fcd2       mov x2, -0x1f00000000000000
│           0x10000490c      43018052       mov w3, 0xa
│           0x100004910      0420fcd2       mov x4, -0x1f00000000000000
│           0x100004914      001a0094       bl sym.imp.print.separator.terminator.St

=== debugPrint -> mock session token literal (performLogin) ===
│           0x10000498c      280000f0       adrp x8, sym.imp.append_...ySSF_ ; 0x10000b000
│           0x100004990      08013391       add x8, x8, 0xcc0          ; 0x10000bcc0 ; "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9"
│           0x100004994      088100d1       sub x8, x8, 0x20
│           0x100004998      60520091       add x0, x19, 0x14
│           0x10000499c      010141b2       orr x1, x8, 0x8000000000000000
│           0x1000049a0      f4430091       add x20, sp, 0x10
│           0x1000049a4      97190094       bl sym.imp.append_...ySSF_ ; append(...ySSF)
│           0x1000049a8      e82741a9       ldp x8, x9, [var_10h]
│           0x1000049ac      db1e00f9       str x27, [x22, 0x38]
│           0x1000049b0      c82602a9       stp x8, x9, [x22, 0x20]
│           0x1000049b4      e00316aa       mov x0, x22
│           0x1000049b8      01048052       mov w1, 0x20
│           0x1000049bc      0220fcd2       mov x2, -0x1f00000000000000
│           0x1000049c0      43018052       mov w3, 0xa
│           0x1000049c4      0420fcd2       mov x4, -0x1f00000000000000
│           0x1000049c8      ac190094       bl sym.imp.debugPrint.separator.terminator.St

=== print -> SSL pinning disabled (performNetworkRequest) ===
│           0x100004d44      48000090       adrp x8, 0x10000c000
│           0x100004d48      08010591       add x8, x8, 0x140          ; 0x10000c140 ; "[DEBUG] SSL pinning: disabled"
│           0x100004d4c      088100d1       sub x8, x8, 0x20
│           0x100004d50      080141b2       orr x8, x8, 0x8000000000000000
│           0x100004d54      151c00f9       str x21, [x0, 0x38]
│           0x100004d58      29018052       mov w9, 9
│           0x100004d5c      490309aa       orr x9, x26, x9
│           0x100004d60      092002a9       stp x9, x8, [x0, 0x20]
│           0x100004d64      01048052       mov w1, 0x20
│           0x100004d68      0220fcd2       mov x2, -0x1f00000000000000
│           0x100004d6c      43018052       mov w3, 0xa
│           0x100004d70      0420fcd2       mov x4, -0x1f00000000000000
│           0x100004d74      e8180094       bl sym.imp.print.separator.terminator.St

=== Logger.debug -> password hashing algorithm (validateCredentials) ===
│           0x1000047a8      63000090       adrp x3, section.16.__TEXT.__oslogstring ; 0x100010000
│           0x1000047ac      63800191       add x3, x3, 0x60
│           0x1000047b0      421f0012       and w2, w26, 0xff
│           0x1000047b4      e10319aa       mov x1, x25
│           0x1000047b8      e4031baa       mov x4, x27
│           0x1000047bc      45008052       mov w5, 2
│           0x1000047c0      731a0094       bl sym.imp._os_log_impl

=== NSLog -> error code & internal module (performLogin) ===
│           0x100004a7c      48000090       adrp x8, 0x10000c000
│           0x100004a80      08010b91       add x8, x8, 0x2c0          ; 0x10000c2c0 ; "[DEBUG] Error code: AUTH_001, Module: AuthenticationService.validateCredentials()"
│           0x100004a84      088100d1       sub x8, x8, 0x20
│           0x100004a88      60060191       add x0, x19, 0x41
│           0x100004a8c      010141b2       orr x1, x8, 0x8000000000000000
│           0x100004a90      e20314aa       mov x2, x20
│           0x100004a94      9b180094       bl sym.imp.Foundation.NSLogCVarArg_...dtF_ ; Foundation.NSLogCVarArg(...dtF)

[*] Done

The cross references show how often each logging API is reached:

9 binary xrefs to Foundation.NSLog... (the sample uses NSLog(...) 10 times).
22 binary xrefs to print.separator.terminator (the sample uses print(...) 23 times).
2 binary xrefs to debugPrint.separator.terminator (the sample uses debugPrint(...) 2 times).
1 binary xref to dump.name.indent... (the sample uses dump(...) 1 time).
2 binary xrefs to Logger.subsystem.category... (the sample uses Logger(...) 2 times).
logger.debug, logger.error, and logger.fault are used 4 times in the sample and result in:
- 4 xrefs to Logger.logObject...
- 4 xrefs to _os_log_impl
- 4 xrefs to os_log_type_enabled
- 4 log type xrefs: 2 debug, 1 error, 1 fault

Note that the number of logging calls in the source code and the number of binary xrefs do not always match exactly. In this case, NSLog and print each show one fewer xref than the number of source calls. That can happen because of compiler optimizations, inlining, or code generation details in Swift.

You'll notice that even though we aren't calling the old C-style os_log(...) API directly, since we are using Logger, and Logger is part of Apple's Unified Logging system, we see references to os_log. Under the hood, Swift logging relies on the unified logging machinery, which is why lower-level logging symbols appear in the compiled binary.

The second part of the output goes beyond confirming that the APIs are referenced and shows the literal message strings recovered from the call sites. Each block is the full disassembly window from the string load down to the logging call (with asm.bytes=true, the raw opcode bytes are shown alongside each instruction), so the data flow is explicit end to end: an adrp/add pair computes a pointer into the __cstring (or __oslogstring) section, Radare2 resolves it and prints the string as a comment (for example ; 0x10000ba80 ; "[DEBUG] Attempting to connect to API endpoint: https://internal-api.example.com/v2/auth/login"), the pointer is moved through a few argument-setup instructions, and the same register is then handed to the bl into the logging API that closes the window. Reading each snippet top to bottom shows the string flowing into the log call. The recovered content includes an internal API endpoint, the username, a mock session token (eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9), the disabled SSL pinning state, the password hashing algorithm, and an internal error code and module name, all of which expose implementation details.

Evaluation¶

The test fails because the app contains implemented logging paths that record verbose diagnostic and error-related information, rather than merely linking against or referencing logging APIs.

This was determined by reverse engineering the binary in two steps. First, cross references to the logging APIs show that authentication, networking, and error-handling code paths reach NSLog, print, debugPrint, dump, and unified logging (Logger/os_log). Second, disassembling those call sites recovers the literal message strings that are passed to the logging functions, so the conclusion is not based on the mere presence of logging APIs but on the actual content that is logged. The recovered strings confirm that the compiled app emits sensitive implementation details, including an internal API endpoint, a username, a mock session token, the SSL pinning state, the password hashing algorithm, and an internal error code and module name.

The disassembly recovers the static string operands of each logging call. Values that are only known at runtime, such as the interpolated results of generateMockToken() or Thread.callStackSymbols, are not resolved by static analysis; to capture those concrete values you can use dynamic analysis and runtime log capture, see Implementation Details Exposed in App Logs.