MASTG-TEST-0296: Sensitive Data Exposure Through Insecure Logging
Overview¶
This test is the dynamic counterpart to Insertion of Sensitive Data into Logs.
In this test, we will monitor and capture the device logs and then analyze them for sensitive data.
Warning
- Linking the logs back to specific locations in the app can be difficult and requires manual analysis of the code. As an alternative you can use Method Hooking.
- Dynamic analysis works best when you interact extensively with the app. But even then there could be corner cases which are difficult or impossible to execute on every device. The results from this test therefore are likely not exhaustive.
Steps¶
- Use Installing Apps to install the app.
- Use Monitoring System Logs to monitor the device logs.
- Open the app.
- Navigate to the screens you want to analyze the log output from.
- Close the app.
Observation¶
The output should contain all logged data.
Evaluation¶
The test case fails if you can find sensitive data inside the output.
Best Practices¶
MASTG-BEST-0022: Disable Verbose and Debug Logging in Production Builds