Skip to content

MASTG-TEST-0203: Leakage of Sensitive Data via Logging APIs

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Overview

On Android platforms, logging APIs like Log, Logger, System.out.print, System.err.print, and java.lang.Throwable#printStackTrace can inadvertently lead to the leakage of sensitive information. Log messages are recorded in logcat, a shared memory buffer, accessible since Android 4.1 (API level 16) only to privileged system applications that declare the READ_LOGS permission. Nonetheless, the vast ecosystem of Android devices includes pre-loaded apps with the READ_LOGS privilege, increasing the risk of sensitive data exposure. Therefore, direct logging to logcat is generally advised against due to its susceptibility to data leaks.

Steps

  1. Install and run the app.
  2. Navigate to the screen of the mobile app you want to analyse the log output from.
  3. Execute a method trace ( Method Tracing) (using e.g. Frida for Android) by attaching to the running app, targeting logging APIs and save the output.

Observation

The output should contain a list of locations where logging APIs are used in the app for the current execution.

Evaluation

The test case fails if you can find sensitive data being logged using those APIs.

Demos

MASTG-DEMO-0006: Tracing Common Logging APIs Looking for Secrets