Data written to device system logs can be accessed through several attack vectors. An attacker who is able to access the charging port may be able to access this data if the user acknowledges the trust relationship. Attackers can also access this data via another app if that app is able to view the device system logs. This vulnerability is common on various OEM devices.
Steps to Reproduce
Launch Android studio to view the syslog entries the app makes and search for sensitive data. Evaluate the app's logging capabilities to remove the possibility of sensitive or extraneous data being written to logs. To view the logs using Android Studio and logcat, follow these directions: https://developer.android.com/studio/debug/am-logcat#running
In NowSecure's automated and manual testing, a copy of syslog is pulled and searched for sensitive values. This testing is able to differentiate between log entries created by the app being tested and entries written by any other app or the system.
Business Impact
The app is insecurely storing sensitive data on the device which can lead to unauthorized access to the user's account and data by anyone with access to the device. Reuse of passwords can lead to further compromise of a user's accounts and additional exposure to risk for the organization.
Remediation Resources
Recommended Fix
To prevent this sensitive information from being compromised (such as by another application or process running on the same device), it is recommended that debug logs be disabled in a production environment. One method involves leveraging ProGuard or DexGuard (or an alternative) to completely remove the method calls to the Log class, thus stripping all calls to Log.d, Log.i, Log.v, Log.e methods. One example is use add the following snippet to proguard.cfg:
-assumenosideeffects class android.util.Log {
public static *** d(...);
public static *** v(...);
public static *** i(...);
public static *** e(...);
}
```txt
Please note that certain hybrid frameworks may have custom log functionality that also need to be disabled before app compilation.
#### Code Samples
Bad Android Manifest (.xml)
If you're using proguard, you can add this to your proguard config file to remove all log calls (.java)
assumenosideeffects class android.util.Log {
public static v(...);
public static d(...);
public static i(...);
public static w(...);
public static *** e(...);
}
#### Additional Guidance
- This Google Android Developer article discusses considerations for preparing an app for release, including turning off logging and debugging https://developer.android.com/studio/publish/preparing
- This Google Android Developer article provides guidance on different methods for logging https://developer.android.com/reference/android/util/Log
- This Google Android Developer article discusses considerations for shrinking code using the R8 compiler which works with ProGuard to remove unused code (e.g. logging related, etc) from the build https://developer.android.com/studio/build/shrink-code
- The 3rd party tool Proguard can help remove logging code. Ensure that any 3rd party tools or libraries meet the organization's development and security standards prior to use. NowSecure's testing can evaluate the 3rd party tools or libraries as a part of our automated app testing processes https://github.com/Guardsquare/proguard
### Risk and Regulatory Information
Severity: low
CVSS: 3.3
<span title="NowSecure suggests remediation">Policy Category: Needs Remediation</span>
- CWE: [312](https://cwe.mitre.org/data/definitions/312.html), [532](https://cwe.mitre.org/data/definitions/532.html)
- ioXt: SD111
- FISMA MED: [SC-28 PROTECTION OF INFORMATION AT REST](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=SC-28)
- Risk OWASP: [MSTG-STORAGE-3 (OWASP MASVS v1.5.0)](https://github.com/OWASP/owasp-masvs/blob/v1.5.0/Document/0x07-V2-Data_Storage_and_Privacy_requirements.md), [MASVS-STORAGE-2 (OWASP MASVS v2.0.0)](https://github.com/OWASP/owasp-masvs/blob/v2.0.0/controls/MASVS-STORAGE-2.md)
- GDPR: [Risks violating Article 25](https://gdpr-info.eu/art-25-gdpr/), [Risks violating Article 32](https://gdpr-info.eu/art-32-gdpr/)
- FFIEC: [May violate D3.PC.Am.A.1](https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_May_2017.pdf)
- PCI: [May violate requirement 3.1 through 3.4](https://www.pcisecuritystandards.org/document_library?document=pci_dss)
- HIPAA: [May violate §164.312(a)(1): Standard: Access control.](https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf?language=es)
- CCPA: [Risks violating CCPA: exfiltration, theft, or disclosure of PII](https://ccpa-info.com/home/1798-150-civil-actions/)
- Google App Store Blockers: [SC-D4 - No sensitive user data is logged to the system or app-specific log.](https://developer.android.com/docs/quality-guidelines/core-app-quality)
- CWE Top 25: [2021 CWE Top 25 Most Dangerous Software Errors](https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html)
### Application
- Platform: android
- Package: com.accuweather.android
See more detail in the [NowSecure Report](https://app.int.nowsecure.io/app/b6372f8a-9a52-11ec-b353-0744ee7bc34c/assessment/b68e4348-d032-11ee-858f-3756d4d7c2f4#finding-leaked_logcat_data_lastname)
<details>
<summary>Evidence</summary>
#### Code Locations
| Type | Value | Encoding | Searched Data |
|---|---|---|---|
| lastname | dent | utf8 | Invalidating LocalCallingIdentity cache for package com.accuweather.android. Reason: package android.intent.action.PACKAGE_ADDED |
| lastname | DENT | utf8 | onBind: Intent { act=com.google.android.gms.presencemanager.service.INTERNAL_IDENTITY dat=chimera-action: cmp=com.google.android.gms/.chimera.PersistentApiService } |
| lastname | DENT | utf8 | Loading bound service for intent: Intent { act=com.google.android.gms.presencemanager.service.INTERNAL_IDENTITY dat=chimera-action: cmp=com.google.android.gms/.chimera.PersistentApiService } |
... and 17 more
</details>
Finding Description
Last Name has been found within device logs.
Data written to device system logs can be accessed through several attack vectors. An attacker who is able to access the charging port may be able to access this data if the user acknowledges the trust relationship. Attackers can also access this data via another app if that app is able to view the device system logs. This vulnerability is common on various OEM devices.
Steps to Reproduce
Launch Android studio to view the syslog entries the app makes and search for sensitive data. Evaluate the app's logging capabilities to remove the possibility of sensitive or extraneous data being written to logs. To view the logs using Android Studio and logcat, follow these directions: https://developer.android.com/studio/debug/am-logcat#running
In NowSecure's automated and manual testing, a copy of syslog is pulled and searched for sensitive values. This testing is able to differentiate between log entries created by the app being tested and entries written by any other app or the system.
Business Impact
The app is insecurely storing sensitive data on the device which can lead to unauthorized access to the user's account and data by anyone with access to the device. Reuse of passwords can lead to further compromise of a user's accounts and additional exposure to risk for the organization.
Remediation Resources
Recommended Fix
To prevent this sensitive information from being compromised (such as by another application or process running on the same device), it is recommended that debug logs be disabled in a production environment. One method involves leveraging ProGuard or DexGuard (or an alternative) to completely remove the method calls to the Log class, thus stripping all calls to Log.d, Log.i, Log.v, Log.e methods. One example is use add the following snippet to
proguard.cfg:<manifest ...> ... <application android:debuggable = "true" ...> ...
Log.v(), Log.d(), Log.i(), Log.w(), Log.e()
<manifest ...> ... <application android:debuggable = "false" ...> ...
assumenosideeffects class android.util.Log { public static v(...); public static d(...); public static i(...); public static w(...); public static *** e(...); }