Skip to content

OWASP Mobile Application Security

MASTG-TEST-0296: Sensitive Data Exposure Through Insecure Logging

MASTG-TEST-0296: Sensitive Data Exposure Through Insecure Logging

Overview¶

This test is the dynamic counterpart to Insertion of Sensitive Data into Logs.

In this test, we will monitor and capture the device logs and then analyze them for sensitive data.

Warning

Linking the logs back to specific locations in the app can be difficult and requires manual analysis of the code. As an alternative you can use dynamic analysis with Frida for iOS.
Dynamic analysis works best when you interact extensively with the app. But even then there could be corner cases which are difficult or impossible to execute on every device. The results from this test therefore are likely not exhaustive.

Steps¶

Install the app on a device ( Installing Apps).
Monitor the logs with Monitoring System Logs.
Open the app.
Navigate to the mobile app from which you wish to analyse the log output.
Close the app.

Observation¶

The output should contain all logged data.

Evaluation¶

The test case fails if you can find sensitive data inside the output.

Mitigations¶

Disable Verbose and Debug Logging in Production Builds

Demos¶

MASTG-DEMO-0066: Sensitive Data Logging with idevicesyslog