Android Read Log Permission| 1 comment | android
When reading this post about the Facebook SDK writing a line to your Android phone's log file, I was interested to see what other applications wrote sensitive data to the log.
The log is available to any application that has the READ LOG permission. This permission is marked dangerous but users are confronted with this message:
Allows the app to read from the system's various log files. This allows it to discover general information about what you are doing with the tablet, potentially including personal or private information.
From what I have seen, that word "potentially" needs to be changed to "most definitely".
On my Samsung Galaxy S2, I found that all my texts and emails were written to the log file in plain text. I even wrote a proof of concept application to read my emails.
I see no good reason as to why applications would need to write any private data to the log. The permission is there in the first place for easy debugging which makes sense, but just writing whole emails and texts to the log makes no sense. When I receive a text, a notification is written to the notification bar which includes the text contents, including the name of the contact - this whole string, for some reason, is written to the log file. Likewise whenever I open an email in the Gmail application, the whole content of the email is written to the log file.
I did try and reach out to Google and Samsung about this issue, but after a couple of weeks have not heard anything back.
Google do not seem to be following their own advice that states:
Application developers should be careful writing to on-device logs. In Android, logs are a shared resource, and are available to an application with the READ_LOGS permission. Even though the phone log data is temporary and erased on reboot, inappropriate logging of user information could inadvertently leak user data to other applications.