antest1
commented
2 years ago log statements are all removed by ProGuard when building, so the credential information will not shown in the log output. https://github.com/antest1/kcanotify/blob/master/app/proguard-rules.pro#L91
bananabr
Prior to Android 4.0, any application with READ_LOGS permission could obtain all the other applications' log output. After Android 4.1, the specification of READ_LOGS permission has been changed. Even applications with READ_LOGS permission cannot obtain log output from other applications.
However, by connecting an Android device to a PC, or when running a rooted device, log output from other applications can be obtained.
Therefore, it is important that applications do not send sensitive information to log output.
The following LGTM query results demonstrate user credentials being written to the system log: https://lgtm.com/query/1712936386160468699/
Once the issue is fixed, please create a security advisory to a CVE is assigned to it by GitHub.
Thank you,