Skip to content

Unintended Data Leakage

When the developer places sensitive information or data in a location which can easily accessible for another application on the devices. During that processing, a side-effect (that is unknown to the developer) results in that information being placed into an insecure location on the mobile device that other apps on the device may have open access to. Typically, these side-effects originate from the underlying mobile device's operating system (OS). This will be a very prevalent vulnerability for code produced by a developer that does not have intimate knowledge of how that information can be stored or processed by the underlying OS.

Common locations

  • URL Caching (Both request and response)

  • Keyboard Press Caching

  • Copy/Paste buffer Caching

  • Application backgrounding

  • Insecure Logging

  • HTML5 data storage

  • Browser cookie objects

  • Analytics data sent to 3rd parties

Unintended Data Leakage through Clipboard

  1. Install any clipboard capture application here I'm using Clipboard Manager

  2. Copy any credential or data

Application backgrounding

Whenever user sent the app in recent or minimize it app should hide the information. for example if any bank application not allow to take a screenshot of the sensitive info but whenever the app is in recent it won't hide the info as well as the information comes in screenshot this might became a threat to user data.

Insecure Logs and using of logcat

While the developing of application developer use log for testing purpose whether application is working properly or not, at the time of publish developer forget to remove these function so that vulnerability occurs. If the application consists log.i log.r, log.d or log.e that mean it's creating log that can be visible within the logcat.

When the application is running it’s logging in centralized logcat file which maintain by android, it’s logging all the application log so if the application is logging sensitive information like credential so it’s vulnerable for Insecure Logging

How to test

  1. Open Vulnerable app

  2. Find the process ID by using:  

1. Adb shell ps | grep -i {vulnapp} ex. Diva  

2. Adb shell logcat | grep -i [pid]

Impact

When an application processes sensitive information taken as input from the user or any other source, it may result in placing that data in an insecure location in the device. This insecure location could be accessible to other malicious apps running on the same device, thus leaving the device in a serious risk state.