Page History

...

Noncompliant Code Example

Here is another example. Weathernews Touch A weather report for Android sent a user's location data to the log output as follows:

I/MySoraPieceMyWeatherReport( 6483): Re-use MySoraPiece MyWeatherReport data
I/ ( 6483): GET JSON:

...

http://

...

example.

...

com/smart/repo_piece.cgi?arc=0&lat=26.209026&lon=127.650803&rad=50&dir=-999&lim=52&category=1000

If a user is using Android OS 4.0 or before, other applications with READ_LOGS permission can obtain the user's location information without declaring ACCESS_FINE_LOCATION permission in the manifest file.

...

Proof of Concept

Example code of obtaining log output correctly from a vulnerable application is as follows:

Code Block

bgColor	#ccccff
lang	java

final StringBuilder slog = new StringBuilder();

try {
  Process mLogcatProc;
  mLogcatProc = Runtime.getRuntime().exec(new String[]
      {"logcat", "-d", "LoginAsyncTask:I APIClient:I method:V *:S" });

  BufferedReader reader = new BufferedReader(new InputStreamReader(
      mLogcatProc.getInputStream()));

  String line;
  String separator = System.getProperty("line.separator");

  while ((line = reader.readLine()) != null) {
    slog.append(line);
    slog.append(separator);
  }
  Toast.makeText(this, "Obtained log information", Toast.LENGTH_SHORT).show();

} catch (IOException e) {
  // handle error
}

TextView tView = (TextView) findViewById(R.id.logView);
tView.setText(slog);

...

Applications should make sure that they do not send sensitive information to log output. If the app includes a third party library, the developer should make sure that the library does not send sensitive information to log output. One common solution is for an application to declare and use a custom log class, so that log output is automatically turned on/off based on Debug/Release. Developers can use ProGuard to delete specific method calls. This assumes that the method contains no side effects.

This rule is a special case of FIO13-J. Do not log sensitive information outside a trust boundary.

Risk Assessment

Logging sensitive information can leak sensitive information to malicious apps.

Rule	Severity	Likelihood	Remediation Cost	Priority	Level
DRD04-J	Medium	Probable	Medium	P8	L2

Automated Detection

Automatic detection of the use of logging facilities trivial. It is not feasible to automatically determine whether the data being logged is sensitive.

Related Vulnerabilities

Facebook SDK for Android: http://readwrite.com/2012/04/10/what-developers-and-users-can#awesm=~o9iqZAMlUPshPu
JVN#23328321 Puella Magi Madoka Magica iP for Android vulnerable to information disclosure
JVN#86040029 Weathernews Touch for Android stores location information in the system log file
JVN#33159152 Loctouch for Android information management vulnerability
JVN#56923652 Monaca Debugger for Android information management vulnerability

Related Guidelines

Android Secure Design / Secure Coding Guidebook by JSSEC

4.8 Outputing log to LogCat

Bibliography

[JSSEC 2014 ]

4.8 Output Outputing log to LogCat

...

Image Added Image Added Image Added

Space shortcuts

Page tree

Versions Compared

Old Version 3

New Version Current

Key