MASTG-TEST-0297: Insertion of Sensitive Data into Logs

Overview¶

On the iOS platform, logging APIs like NSLog, NSAssert, NSCAssert, print, and printf can inadvertently lead to the leakage of sensitive information. Log messages are recorded in the console, and you can access them by using Monitoring System Logs. Although other apps on the device cannot read these logs, direct logging is generally discouraged due to its potential for data leakage.

In this test, we will use static analysis to verify whether an app has any logging APIs which take sensitive data.

Steps¶

Run a static analysis tool such as radare2 for iOS on the app binary and look for uses of logging APIs.

Observation¶

The output should include the location of all logging functions. Check the decompiled code to verify if they receive sensitive data as input.

Evaluation¶

The test case fails if you can find the use of logging APIs logging any sensitive data.

Mitigations¶

Disable Verbose and Debug Logging in Production Builds

Demos¶

MASTG-DEMO-0065: Uses of Logging APIs with r2