1

I'm currently checking the logs an Android app creates. There, I found an interesting entry: In android's

/data/data/app.being.checked/cache/ok_http_cache_dir

There are quite a lot of files and there are entries where an attacker could easily read the user's

  • E-Mail address
  • First name
  • Customer Id

These files persist even after logging out, exiting the app and restarting the phone.

Now the question remains: Is this a vulnerability which an real-world attacker would use to gain access to the user's data or would it take too much effort to do so, because he has to gain access to the user's phone, root it and then read the files or use a malicious program if the phone is already rooted.

I'm asking because I'm currently checking the app in scope of a bug bounty program and it specifies that any vulnerabilities have to be usable in a real-world scenario to do damage (including getting access to sensitive data) to a user. Would this qualify for such a program?

Terrible Stomper
  • 13
  • 3
  • "Would this qualify for such a program?" -- there is nobody who can answer that, other than those running the program. – CommonsWare Sep 21 '18 at 23:45
  • @CommonsWare Hmm, you are right. But is this generally considered insecure or is it more of a non-factor because if you have root access to the user's phone you probably have this information anyways? – Terrible Stomper Sep 21 '18 at 23:52

2 Answers2

0

Encrypting log data is only one way to obfuscate parts of the system. If a malicious application already installed on your Android has root on the phone, then they it already has access to everything on the system. For example, the app that has root can install a keylogger, or a screen capture and by pass the need to read a log file. But overall yes, encrypting a file can slow down an attacker from getting all of the log data at once vs getting it in screen captures.

spinState010
  • 1
0

Encrypting data at rest mainly protects against cold attacks, that is, attacks where the attacker gets the device in powered off state, and to some extent while it's locked. All recent Android devices have full disk encryption by default, so they are already protected against these types of attack.

Encrypting data cannot fully protect against an attacker that has already gained root access. If the application can read the logs, then so can root. What would make things more secure is making sure that the log file permissions are set so that only the application can read the logs. This will protect the application logs from being read by other applications that doesn't have root access.

So no, unencrypted log is not necessarily making it less secure when the log file permissions is set correctly. While a second layer of defense is not necessarily a bad thing when it comes to security, it's not necessarily a problem not to encrypt logs in this context.

Lie Ryan
  • 31,089
  • 6
  • 68
  • 93