Skip to content

DIVA Android: Insecure Logging

Views: 208

Sometimes, sensitive data is accidentally being logged by the app and can potentially lead to information leakage. In the DIVA Android app example, you can see that the credit number is being saved in the diva-log file without any obfuscation at all. The best practice is not to log the sensitive information if possible. If not, the data should be obfuscated.

Here, you can see that an error had occurred when you tap ‘CHECK OUT’ button. The credit card information will be log somewhere and your goal is to find out what the information can be found.

Run this command to find the information:

logcat | grep 'diva-log'

Now, you can see the error message is logging the credit card number as well.

Published inAndroid AppSecWalkthrough

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *