Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FVP-02-013 WP5: Android app exposes sensitive data to system logs #809

Closed
bakulf opened this issue Apr 7, 2021 · 1 comment · Fixed by #817
Closed

FVP-02-013 WP5: Android app exposes sensitive data to system logs #809

bakulf opened this issue Apr 7, 2021 · 1 comment · Fixed by #817
Assignees
@strseb
Labels
p3 Low Criticality Issues
Projects
Mozilla VPN Product Board
Milestone
Release v2.3

Comments

@bakulf
Copy link
Collaborator

bakulf commented Apr 7, 2021
edited by data-sync-user
Loading

It was found that the Android app makes frequent use of logging features to be able to
monitor events. However, this can be considered a bad practice, especially in production
environments where tokens and codes of Mozilla VPN users might be accessible by
third-parties.
In case the device is connected to the computer with debugging enabled via USB, an
attacker may be able to get access to the logs via adb logcat. From there, extraction of
user-tokens may be achievable. Note that apps with system privileges are able to
access logs directly on rooted devices.

┆Issue is synchronized with this Jira Task
@bakulf bakulf added p3 Low Criticality Issues audit-issue labels Apr 7, 2021
@bakulf
Copy link
Collaborator Author

bakulf commented Apr 8, 2021

Maybe this can be considered a dup of https://github.com/mozilla-mobile/mozilla-vpn-client/issues/811

@strseb strseb self-assigned this Apr 8, 2021
strseb added a commit that referenced this issue Apr 8, 2021
@strseb
Stop Posting all Log messages to Logcat on Release Builds
e3b3eba 
Closes #809
@strseb strseb mentioned this issue Apr 8, 2021
Merged
@bakulf bakulf modified the milestone: v2.2 Apr 9, 2021
@bakulf bakulf added this to To Do in v2.3 Apr 12, 2021
v2.3 automation moved this from To Do to Merged Apr 14, 2021
@jess-cook03 jess-cook03 added this to the Release v2.3 milestone Apr 14, 2021
@jess-cook03 jess-cook03 added this to Triage parking lot in Mozilla VPN Product Board via automation Apr 14, 2021
@jess-cook03 jess-cook03 moved this from Triage parking lot to Done/Merged in Mozilla VPN Product Board Apr 14, 2021
@birdsarah birdsarah removed this from Merged in v2.3 Apr 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@strseb strseb

Labels
p3 Low Criticality Issues
Projects
Mozilla VPN Product Board
Done/Merged
Milestone
Release v2.3
Development

Successfully merging a pull request may close this issue.

FVP-02 WP5: Harden android mozilla-mobile/mozilla-vpn-client
3 participants
@bakulf @strseb @jess-cook03