PTKDMobile App Security
Knowledge base / PTKD-DYN-LOG-SENSITIVE
medium M9 MASVS-STORAGE-1 dynamic analysis PTKD-DYN-LOG-SENSITIVE

Sensitive data written to the log

A credential or PII value appeared in logcat, where other apps (pre-Android 4.1) or a connected host can read it.

How it's exploited

Sensitive values were written to the system log. Other processes with log access, connected computers (adb logcat), and crash-reporting pipelines all see them; logs also persist in bug reports users share.

Why it matters

Tokens and personal data leak through a channel nobody audits as data storage.

How to fix it

  1. Strip or gate logging: no secrets or PII at any level; use ProGuard/R8 to remove Log.d/v in release.
  2. Route diagnostics through a logger that redacts known-sensitive keys by default.

References