A credential or PII value appeared in logcat, where other apps (pre-Android 4.1) or a connected host can read it.
How it's exploited
Sensitive values were written to the system log. Other processes with log access, connected computers (adb logcat), and crash-reporting pipelines all see them; logs also persist in bug reports users share.
Why it matters
Tokens and personal data leak through a channel nobody audits as data storage.
How to fix it
Strip or gate logging: no secrets or PII at any level; use ProGuard/R8 to remove Log.d/v in release.
Route diagnostics through a logger that redacts known-sensitive keys by default.