Skip to content

MASTG-TEST-0203: Runtime Use of Logging APIs

Overview

On Android platforms, logging APIs like Log, Logger, System.out.print, System.err.print, and java.lang.Throwable#printStackTrace can inadvertently lead to the leakage of sensitive information. Log messages are recorded in logcat, a shared memory buffer, accessible since Android 4.1 (API level 16) only to privileged system applications that declare the READ_LOGS permission. Nonetheless, the vast ecosystem of Android devices includes pre-loaded apps with the READ_LOGS privilege, increasing the risk of sensitive data exposure. Therefore, direct logging to logcat is generally advised against due to its susceptibility to data leaks.

Steps

  1. Use Installing Apps to install the app.
  2. Use Method Hooking to hook the relevant API calls.
  3. Exercise the app extensively to trigger as many flows as possible and enter sensitive data wherever you can.

Observation

The output should contain a list of locations where logging APIs are used in the app for the current execution.

Evaluation

The test case fails if you can find sensitive data being logged using those APIs.

Best Practices

MASTG-BEST-0002: Remove Logging Code

Demos

MASTG-DEMO-0006: Tracing Common Logging APIs Looking for Secrets