MASTG-TEST-0203: Leakage of Sensitive Data via Logging APIs
Content in BETA
This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).
Overview¶
On Android platforms, logging APIs like Log
, Logger
, System.out.print
, System.err.print
, and java.lang.Throwable#printStackTrace
can inadvertently lead to the leakage of sensitive information. Log messages are recorded in logcat, a shared memory buffer, accessible since Android 4.1 (API level 16) only to privileged system applications that declare the READ_LOGS
permission. Nonetheless, the vast ecosystem of Android devices includes pre-loaded apps with the READ_LOGS
privilege, increasing the risk of sensitive data exposure. Therefore, direct logging to logcat is generally advised against due to its susceptibility to data leaks.
Steps¶
- Install and run the app.
- Navigate to the screen of the mobile app you want to analyse the log output from.
- Execute a method trace ( Method Tracing) (using e.g. Frida for Android) by attaching to the running app, targeting logging APIs and save the output.
Observation¶
The output should contain a list of locations where logging APIs are used in the app for the current execution.
Evaluation¶
The test case fails if you can find sensitive data being logged using those APIs.
Demos¶
MASTG-DEMO-0006: Tracing Common Logging APIs Looking for Secrets