Viewing and analyzing Android logs. In this article we will see what the Android log is, what is it used for, what are the different logging levels and what security concerns may arise from misusing this feature. In this case we will be using logcat; a command-line tool that dumps a log of system messages, including stack traces from errors and messages written from an application using the Log class. [1]
Logging gives developers the ability to keep track of application events, errors, debug information and virtually anything that the developer wants to put in there, this is a very useful feature while developing the application, since it provides a way to understand application behavior under specific circumstances, for instance, logging exception details may help you debugging an application is crash, logging request and responses may help you understand server side behavior, logging user input can help in refining input validation, among others.
There are different levels of logging which indicate levels of priority and verbosity, they go from ERROR, WARN, INFO, DEBUG and VERBOSE:
- Log.e(): to log error level messages.
- Log.w(): to log warnings, anything strange, but not precisely an error.
- Log.i(): to log useful information about the app behavior.
- Log.d(): to log for debugging purposes of minor events.
- Log.v(): to log everything, full verbosity.
Finally there is the Log.wtf() level, which stands for “what a terrible failure” (yeah right!), this level is for when something goes absolutely and terribly wrong,for instance when you get errors you are not supposed to.
However useful logging may be during development, it can represent a security risk in the sense that, if not done carefully, an application may leak sensitive information to an attacker with access to the device, through malware or a repackaged application acting on behalf on the attacker. Here, we will see how to access and analyze application logs using the logcat command available through the Android Debug Bridge.
We will be using a simple Android application that leaks sensitive information into the logs, first we start the Android virtual device (AVD), where we have already installed the target application:
Now we connect to the AVD using the android debug bridge and run the command adb logcat, this will give you the logs back in the standard output:
Before running the application and getting it to write into the logs, let’s first write the logcat output into a file for easier handling and grepping, by running the command adb logcat > logs.txt, this will create a simple text file with the contents of the logs on it:
We now run the application and enter the credentials as foo@example.com/hello,
Coming back to logcat we hit Ctrl+C to interrupt the console and then use grep to inspect the contents of the file and look for interesting information, for instance, we can right away go and grep for the password we have just entered in the login screen (we can also grep for the word ‘Password’):
If you want to add color to your results, you can use an alias and set the –color option to always, you can also the the –ignore-case option to ignore the case of what you are grepping for, something like: alias grep=’grep –color=always –ignore-case’, this will give an output like below:
You can also grep for regular expressions, for instance, if you want to look for emails you could do something like this:
Conclusion
Above shows the process of viewing and analyzing Android logs. Just like any other, the Android logs are very helpful during development for diagnosing application behavior, however, they have to be carefully crafted not to leak sensitive information when application is in production, this information may be abused by an attacker with access to the device, through malware or a repackaged application acting on behalf on the attacker.
Thanks for sharing