ADB Logcat security risk – #1 DIVA Solution

ADB (Android debug bridge) Logcat is a mechanism via which developers debug through application for proper work flow or to identify crashes. However during times, these code-snippets remains within the released app over the play store which user would install. Risk increases if these logs contains any sensitive information like banking details, user credentials, login/access tokens, encryption keys, personal information, etc. in plain text form. Since logs remain persistent since time when you switched ON your device last time. Moreover logcat can also be viewed from non-rooted device as well.

 

 

The video demonstrates DIVA app, that when internal app error occurs, how the Credit-card number is leaked in ADB logcat of the device. You would notice the moment when we click on “Check Out” Button an error is shown, at the same time Log is generated in background which contains Credit-card information visible in clear-text.


Download
DIVA.apk

To inspect Logs there are 2 good ways –

1. Android Studio: GUI mode which allows to choose application, verbosity level (Verbose – V, Error – E, Warning – W, Information – I, Debug -D), also helps to choose device is multiple device/emulators are connected at same time. If you observe in the video Android studio has red text lines containing Error logs with credit-card details from DIVA app.

2. ADB via terminal: If you already have set path of ADB then anywhere from command prompt (windows) / terminal (MAC/Linux) you can type ADB logcat directly. Or else navigate to location where ADB is installed (by default C:\Users\YOUR USERNAME\AppData\Local\Android\sdk\platform-tools  for Windows,   Users/YOURUSERNAME/Library/Android/sdk/platform-tools    for MAC)  and then use “ADB logcat”

Command Purpose
ADB logcat  Shows all logs together from all running apps
ADB logcat -c  Clears all logs from the device till now.
ADB logcat “*:E”  To filter logs containing only Errors
ADB logcat  |  grep KEYWORD_TO_SEARCH  Works only for Linux / MAC to find a particular value from entire logs.
ADB logcat  > logcatSavingToFileInDesktop.txt  Allows logs to be copied in your desktop/laptop within a text file. Later on normal Ctrl + F (Find) to search for a particular keyword. “Best Trick for Windows user to find a particular string”.

 

Prevention & Remediation

  • Prefer not to use methods like printstacktrace(), Logs, etc., in case if implemented remember to remove or better implement custom logging mechanism.
  • Even if Log.d() is being used, your app would still generate logs for apps which are downloaded from Playstore having release build. So not even using Log.d()

To understand how developers use Logs in their source code use this article Android Logcat

Report Errors + Bugs & Become Insider for Nestedif.com

We would like to hear you, if you find any error or misspelled phrase while reading our tutorials. By reporting mistakes through email to insider@nestedif.com you could help other peers.