Logs are very helpful during the development process, but should we leave them in a production app?
Exposing information about the app
Every information that we log can be a potential source of security issues!
What type of logs do we log in our applications?
Probably most of them contain some not important information (from your perspective), for example: “Signing in”, “Getting Token”, “Signing in successful”, “Getting user data”. Is it secure to keep such logs in the production app? NO. Why? Because all those information can be really helpful for the person who wants to have an unauthorized access to our app. Before checking the logs, a potential attacker knows nothing about how our authorization process looks like, but what about now? He knows exactly the authorization workflow. He knows that some token is needed, and after the authorization process, we are getting user information. A quite helpful one.
Let’s consider another example - we left logs with some very sensitive data (like Authorization Token, user login, user password). A person who wants to make a big mess on our server already have an access to all the needed information, so it will be quite easy to, for example, drop the database, get all user data, etc.
It doesn’t mean that we shouldn’t place logs with information about application workflow, debug messages, etc. All those information are very useful during the development process, but we always need to remove those log entries from the production app.
User data leaks (GDPR)
Leaking information about application workflow or leaving irresponsible logs in production app can lead to a different security issue - User Data leak.
Logging things that we get or send to the server can be very helpful, but keeping those log entries in production app can be very dangerous. Why? Because they can contain user sensitive data.
Such data should be processed carefully. It will be quite disappointing to finding out that your personal information (email, phone number, address, etc.) leaked to the Internet. It will definitely decrease your app rating and reputation. Moreover, starting from 25.05.2018 we need to be aware of GDPR may be fined up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.
It would be even worse when you accidentally leave logs with all the information that are needed to use someone’s payment card or any other payment method.
Facilitating unauthorized access
It is not easy to keep logs safe in the production app. Logs can lead to unauthorized access to your application or/and server. Such access can lead to very serious security problems (for example user data leaks).
Do you know that you can access log entries from other applications? From Google Security Guide:
“Be careful when writing to on-device logs. In Android, logs are a shared resource and are available to an application with the READ_LOGS permission. Even though the phone log data is temporary and erased on reboot, inappropriate logging of user information could inadvertently leak user data to other applications.”
It was very easy to access those logs on older Android versions (before Android 4.1). After granting the permission mentioned above you could do whatever you want with other apps logs.
Android 4.1 brings us very important security improvement. Since this version, the protection level of the READ_LOGS permission was changed to signature|level|development. The development protection level means that the application can request this permission and it will be denied upon installation.
So, is it safe to leave logs in production apps when there are less than 1% devices running on Android older than 4.1? No!
There is an easy way to grant READ_LOGS permission using ADB tool! As you can see - it’s not hard to get those logs anyway.
As you can see keeping log entries in the production app can lead to many serious security issues and it is not easy to keep them safe. If you read the Log documentation, you probably know that:
“Verbose should never be compiled into an application except during development. Debug logs are compiled in but stripped at runtime. Error, warning and info logs are always kept.”
Moreover, it’s recommended by Google to remove Log calls when configuring the application for release.
Last, but not least. There is a tool created by Jake Wharton named Timber. This is a very useful library which provides utility on top of Android's normal Log class. Please read the README carefully and find what Jake said about leaving the log entries in the production app - “every time you log in production, a puppy dies”.
If you want to learn more about avoiding leaks of sensitive data in Android apps, don’t hesitate to check https://www.netguru.com/blog/how-to-avoid-data-leaks-in-android