Access Sensitive Data in Device Logs

On versions of Android prior to 4.1, an adversary may use a malicious application that holds the READ_LOGS permission to obtain private keys, passwords, other credentials, or other sensitive data stored in the device's system log. On Android 4.1 and later, an adversary would need to attempt to perform an operating system privilege escalation attack to be able to access the log.

ID: T1413

Tactic Type:  Post-Adversary Device Access

Tactic: Collection, Credential Access

Platform:  Android

MTC ID:  APP-3, APP-13

Version: 1.0

Mitigations

MitigationDescription
Application Developer GuidanceApplication developers should be discouraged from writing sensitive data to the system log in production apps.
Application Vetting
Security Updates
Use Recent OS VersionStarting in Android 4.1, this technique requires privilege escalation for malicious applications to perform, as apps can no longer access the system log (other than log entries added by a particular app itself). (Additionally, with physical access to the device, the system log could be accessed via USB through the Android Debug Bridge.)[1]

References