The information specified has been found within device logs. Data written to device system logs can be accessed through several attack vectors. An attacker who is able to access the charging port may be able to access this data if the user acknowledges the trust. Another attack vector includes devices that allow other apps to view the device system logs. This is common on various OEM devices.
Recommendation
To prevent this sensitive information from being compromised (such as by
another application or process running on the same device), it is recommended
that debug logs be disabled in a production environment. More details and code snippets can be found at https://developer.android.com/studio/publish/preparing.
Another method involves leveraging ProGuard or DexGuard (or an alternative) to completely remove the
method calls to the Log class, thus stripping all calls to Log.d, Log.i,
Log.v, Log.e methods. One example is use add the following snippet to
proguard.cfg:
-assumenosideeffects class android.util.Log {
public static *** d(...);
public static *** v(...);
public static *** i(...);
public static *** e(...);
}
The context table below shows the log entries that contained the sensitive information specified.
Summary
The information specified has been found within device logs. Data written to device system logs can be accessed through several attack vectors. An attacker who is able to access the charging port may be able to access this data if the user acknowledges the trust. Another attack vector includes devices that allow other apps to view the device system logs. This is common on various OEM devices.
Recommendation
To prevent this sensitive information from being compromised (such as by another application or process running on the same device), it is recommended that debug logs be disabled in a production environment. More details and code snippets can be found at https://developer.android.com/studio/publish/preparing.
Another method involves leveraging ProGuard or DexGuard (or an alternative) to completely remove the method calls to the Log class, thus stripping all calls to Log.d, Log.i, Log.v, Log.e methods. One example is use add the following snippet to
proguard.cfg:The context table below shows the log entries that contained the sensitive information specified.
Risk and Regulatory Information
Severity: low CVSS: 3.3
Application
See more detail in the NowSecure Report