Logging based vulnerabilities
Inspecting adb logs
often provides us a great deal of information during a penetration test. Mobile app developers use the Log
class to log debugging information in to the device logs. These logs are accessible to any other application with READ_LOGS
permission prior to the Android 4.1 version. This permission has been removed after Android 4.1 and only system apps can access the device logs. However, an attacker with physical access can still use the adb logcat
command to view the logs. It is also possible to write a malicious app and read the logs with elevated privileges on a rooted device.
The Yahoo messenger app was vulnerable to this attack as it was logging user chats along with the session ID into the logs. Any app that has READ_LOGS
permission could access these chats as well as the session ID.
Following are the details of the vulnerable Yahoo messenger application:
Package name: com.yahoo.mobile.client.android.im
Version: 1.8.4
The following steps show...