lcimeni / Kraken-Pro

0 stars 0 forks source link

NowSecure dynamic analysis: WiFi IP Address Leaked To Device Logs #6

Open lcimeni opened 3 years ago

lcimeni commented 3 years ago

Summary

The information specified has been found within device logs. Data written to device system logs can be accessed through several attack vectors. An attacker who is able to access the charging port may be able to access this data if the user acknowledges the trust. Another attack vector includes devices that allow other apps to view the device system logs. This is common on various OEM devices.

Recommendation

To prevent this sensitive information from being compromised (such as by another application or process running on the same device), it is recommended that debug logs be disabled in a production environment. More details and code snippets can be found at https://developer.android.com/studio/publish/preparing.

Another method involves leveraging ProGuard or DexGuard (or an alternative) to completely remove the method calls to the Log class, thus stripping all calls to Log.d, Log.i, Log.v, Log.e methods. One example is use add the following snippet to proguard.cfg:

-assumenosideeffects class android.util.Log {
public static *** d(...);
public static *** v(...);
public static *** i(...);
public static *** e(...);
}

The context table below shows the log entries that contained the sensitive information specified.

Risk and Regulatory Information

Severity: low CVSS: 2.1

Application

See more detail in the NowSecure Report