...
This rule is a special case of IDS03-J. Do not log unsanitized user input.
Risk Assessment
Logging sensitive information can leak sensitive information to malicious apps.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
DRD03-J | high | probable | medium | P12 | L1 |
Automated Detection
Automatic detection of the use of logging facilities trivial. It is not feasible to automatically determine whether the data being logged is sensitive.
Related Vulnerabilities
- Facebook SDK for Android: http://readwrite.com/2012/04/10/what-developers-and-users-can#awesm=~o9iqZAMlUPshPu
- JVN#23328321 Puella Magi Madoka Magica iP for Android vulnerable to information disclosure
- JVN#86040029 Weathernews Touch for Android stores location information in the system log file
- JVN#33159152 Loctouch for Android information management vulnerability
- JVN#56923652 Monaca Debugger for Android information management vulnerability
...
Android Secure Coding Guidebook by JSSEC | 4.8 Output log to LogCat |
Bibliography
Android Secure Coding Guidebook by JSSEC | 4.8 Output log to LogCat |