Logging of sensitive information
Closed this issue · 3 comments
Prior to Android 4.0, any application with READ_LOGS permission could obtain all the other applications' log output. After Android 4.1, the specification of READ_LOGS permission has been changed. Even applications with READ_LOGS permission cannot obtain log output from other applications.
However, by connecting an Android device to a PC, or when running a rooted device, log output from other applications can be obtained.
Therefore, it is important that applications do not send sensitive information to log output.
The following LGTM query results demonstrate user credentials being written to the system log: https://lgtm.com/query/8981696392229436572/
Once the issue is fixed, please create a security advisory to a CVE is assigned to it by GitHub.
Thank you,
Thanks, I've removed the dropbox token being logged. I'll have a scan through the code, to see if any other sensitive info like tokens or passwords are being logged.
Thanks @mendhak. Could you please make this into a security advisory so I can get a bounty from GitHub for the codeQL query I used to find this bug?
https://securitylab.github.com/bounties/
Thanks!
Sorry for the delay. I was filling out the advisory and had to figure out who this affects and the impact. I should have checked that sooner, because this is a codepath that executed once 5 years ago on the Play Store version of this app. Now that the app moved to F-Droid, it's not used. So there was nobody and no impact. I should have just removed this block as part of a cleanup.