MASTG-TEST-0297: Sensitive Data Exposure Through Logging APIs
Overview¶
On the iOS platform, logging APIs like NSLog, NSAssert, NSCAssert, print, and printf can inadvertently lead to the leakage of sensitive information. Log messages are recorded in the console, and you can access them by using Monitoring System Logs. Although other apps on the device cannot read these logs, direct logging is generally discouraged due to its potential for data leakage.
This test uses static analysis to verify whether an app contains logging APIs that take sensitive data as input.
This test focuses on logged sensitive data. For tests specifically targeting implementation details exposed through logs, see Implementation Details Exposure Through Logging APIs and Implementation Details Exposure in Logs.
Steps¶
- Use Exploring the App Package to extract the relevant binaries from app package.
- Use Static Analysis on iOS to look for the relevant APIs in the app binaries.
Observation¶
The output should include the location of logging functions or other relevant logging references. Check the decompiled code to verify whether they receive sensitive data as input.
Evaluation¶
The test case fails if the app contains implemented logging paths that log sensitive data.
Best Practices¶
MASTG-BEST-0022: Disable Verbose and Debug Logging in Production Builds