Hello everyone Greeting All ! Today In this blog We are going to See How Android applications are vulnerable Which cause Impact User & cause of leak data which leaking through log file .
If Your
doing penetration Testing against Your targeted Android application Inspecting
adb logs
often
provides us a great deal of information which impact users of Your
Application .
What is Android log?
Every application use logs .Mobile application developers use Log
class to log debugging information in to the device logs that interacting . These
logs are accessible to any other application with READ_LOGS
On Vulnerable Application Due to developer
Mistake . If Your using prior to the Android 4.1 version android_minSdkVersion=”14” which is
vulnerable.
This an attacker can take advantage of if attacker has physical access attacker easily use LOGCAT and capture all logs details and steal user data such as bank details, user name, password, APi , CSRF Token etc.
What is logcat?
Logcat is a CLI tool that dumps a log of system messages, including stack traces when the device cause an error and messages , data that you Interact & written from your app with the Log class. That Logcat easily capture all trace stack against Your targeted website This tool helpful for Developer & Penetration tester .
WORK FLOW:
- We have Vulnerable Android application which is vulnerable which leaking user sensitive information In logs , Application has Login Interaction
Now use adb to Access android shell In order to access adb shell we will use command:
- Adb shell
- 2. Now As User Login With Your Credentials And run command:-
- Logcat | grep “application name ”
Above command will capture all Upcoming logs according to our given apk .
Now to capture user password User email Accordingly You can use regex
- Logcat | grep “password”
How To Mitigate Against Risk:
- Make sure Your using Android more then 4.1 and only system apps can access the device logs.
- Add the following code into the ProGuard config file which mitigate against risk .
-assumenosideeffects class android.util.Log{*;}
References : https://androidpedia.net/en/tutorial/1552/logging-and-using-logcat
Thanks For Reading……. See You In Another Blog!
Stick With Our Blog : https://securiumsolutions.com/
Author : Pallab Jyoti Borah | VAPT Analyst