Logging of sensitive information

[bananabr]

Description

Prior to Android 4.0, any application with READ_LOGS permission could obtain all the other applications' log output. After Android 4.1, the specification of READ_LOGS permission has been changed. Even applications with READ_LOGS permission cannot obtain log output from other applications.

However, by connecting an Android device to a PC, or when running a rooted device, log output from other applications can be obtained.

Therefore, it is important that applications do not send sensitive information to log output. The DefaultHttpClientCallTask.java class logs sensitive tokens to the system log.

Repro Steps

Review the LGTM query results at https://lgtm.com/query/2904724693185185601/

Details

1. Which SDK version are you using? n/a
2. Which OS version did you experience the issue on? n/a
3. What device version did you see this error on? Were you using an emulator or a physical device? n/a
4. What third party libraries are you using? n/a
5. Please enable verbose logging for your app using AppCenter.setLogLevel(Log.VERBOSE) before your call to AppCenter.start(...) and include the logs here: n/a

[bananabr]

Once the issue is fixed, please create a security advisory to a CVE is assigned to it by GitHub.

[DmitriyKirakosyan]

Hi @bananabr,

Thank you for getting in touch with us!

The lgtm report points to the Sasquatch app, which gives the token which is printed to output. Note, that Sasquatch app is a demo application and it is not a part of the SDK. Also, this log is only printed if you have "verbose" log level, which you don't normally set for production apps.

If you still feel like it is a security issue in SDK, could you please clarify the use case in which a sensitive information could be leaked when using App Center Android SDK?

[bananabr]

Thanks for the clarification @DmitriyKirakosyan! That's probably just a false positive.

I will close the issue.