...
Noncompliant Code Example
Here is another example. Weathernews Touch A weather report for Android sent a user's location data to the log output as follows:
I/MySoraPieceMyWeatherReport( 6483): Re-use MySoraPiece MyWeatherReport data
I/ ( 6483): GET JSON:
...
http://
...
example.
...
com/smart/repo_piece.cgi?arc=0&lat=26.209026&lon=127.650803&rad=50&dir=-999&lim=52&category=1000
If a user is using Android OS 4.0 or before, other applications with READ_LOGS
permission can obtain the user's location information without declaring ACCESS_FINE_LOCATION
permission in the manifest file.
...
Proof of Concept
Example code of obtaining log output correctly from a vulnerable application is as follows:
Code Block | ||||
---|---|---|---|---|
| ||||
final StringBuilder slog = new StringBuilder(); try { Process mLogcatProc; mLogcatProc = Runtime.getRuntime().exec(new String[] {"logcat", "-d", "LoginAsyncTask:I APIClient:I method:V *:S" }); BufferedReader reader = new BufferedReader(new InputStreamReader( mLogcatProc.getInputStream())); String line; String separator = System.getProperty("line.separator"); while ((line = reader.readLine()) != null) { slog.append(line); slog.append(separator); } Toast.makeText(this, "Obtained log information", Toast.LENGTH_SHORT).show(); } catch (IOException e) { // handle error } TextView tView = (TextView) findViewById(R.id.logView); tView.setText(slog); |
...
This rule is a special case of IDS03FIO13-J. Do not log unsanitized user inputsensitive information outside a trust boundary.
Risk Assessment
Logging sensitive information can leak sensitive information to malicious apps.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
DRD04-J | Medium | Probable | Medium | P8 | L2 |
Automated Detection
Automatic detection of the use of logging facilities trivial. It is not feasible to automatically determine whether the data being logged is sensitive.
Related Vulnerabilities
- Facebook SDK for Android: http://readwrite.com/2012/04/10/what-developers-and-users-can#awesm=~o9iqZAMlUPshPu
- JVN#23328321 Puella Magi Madoka Magica iP for Android vulnerable to information disclosure
- JVN#86040029 Weathernews Touch for Android stores location information in the system log file
- JVN#33159152 Loctouch for Android information management vulnerability
- JVN#56923652 Monaca Debugger for Android information management vulnerability
Related Guidelines
4.8 Output Outputing log to LogCat |
Bibliography
4.8 Outputing log to LogCat |
...