Hide logs of jitsi SDK

[sofianemajdoub]

When i use jitsi meet i can always see lots of logs are being recorded in the console log which comes in handy when you are developing the application,but this is problem in production , there is any solution to put the logCat off and hide it

[saghul]

What is the problem exactly? How are you planning to help your users when they run into problems in production and you have no logs to check?

[sofianemajdoub]

Hi, We don’t want to display the logs for the Android production app and we prefer for development only. We think there is some concrete data are shown in the log from the JitsiMeetSDK which would make us vulnerable. We cannot find a way to hide or prevent logging based on conditions. Please help us. Thank you.

[sofianemajdoub]

To Github: What's the rationale for not allowing the person who opened an issue to reopen it :/ ? Creating a new issue just to reopen an old issue is just plain noise.

[saghul]

Currently there is no way to change the log level of the native SDK.

What sensitive data are you worried about? Be specific please.

[sofianemajdoub]

Hi , Our company requires restrictions on the code and binary code with our applications. Among this restriction it is forbidden to display detailed log in the console , we put it in an encrypted file to be used later by the developer in case of any problem in the delivered application. For Jitsi there is a lot of clear scenarios which would make us vulnerable and can be readable by anyone. My suggestion if there is no solution : -added an option "FF" to hide logs of JitsiMeetSDK. -give the possibility to save logs in the file which will be readable later only by the developer. Thank you.

[saghul]

For Jitsi there is a lot of clear scenarios which would make us vulnerable and can be readable by anyone.

Please elaborate. I'd like to understand.

Note that "anyone" needs to be in control of the device already...

[sofianemajdoub]

I have already described the situation to make the application vulnerable. Displaying logs that come from any libraries in the console makes the delivered application not secured.

[saghul]

No you haven't explained it.

Lack of compliance of arbitrary rules does not imply a security problem.

All I'm asking here is a sample line how that is an attack vector.

Please send that to security@jitsi.org

[sofianemajdoub]

So to conclude there is no way to hide the log in the native SDK of Jitsi.

[saghul]

Not at the moment. We use CocoaLumberjack on iOS: https://github.com/jitsi/jitsi-meet/blob/master/ios/sdk/src/JitsiMeetLogger.m and Timber on Android: https://github.com/jitsi/jitsi-meet/blob/master/android/sdk/src/main/java/org/jitsi/meet/sdk/log/JitsiMeetLogger.java so adding support for it shouldn't be too hard.

A PR for that would be welcome, but if you want to persuade others to add a feature for you, providing as many details as possible is a good start.

Making unsubstantiated claims on security aspects of a project without any backing is just not cool.