Security tip for developers using LogCat

Security tip for developers using LogCat

Recently this past Fall, security firm Lookout Mobile discovered that developers were writing some pretty interesting things to LogCat and the talked about their findings at DefCon.

While, as a dev, you should try to never put sensitive information in your logs, you can use this system to turn off logging in your releases.

At the beginning of each of my classes I write:

public class MyClass
{
    // Debugging
    private static final String TAG = "MyClass";
    private static final boolean GLOBAL_DEBUG = DebugMode.MODE;
    private static final boolean LOCAL_DEBUG = true;
    private static final boolean D = ( GLOBAL_DEBUG && LOCAL_DEBUG );

Notice the DebugMode.MODE is a separate class, and it’s a pretty simple one:

public class DebugMode
{
    public static final boolean MODE = true;
}

Anyways, then, when I want to put something in LogCat I write

if (D) Log.d ( TAG, "something interesting happened");

Finally, when I’m ready to release, I only have to change the DebugMode class to:

public class DebugMode
{
    public static final boolean MODE = false;
}

And voila! We now have both fine-grained, per-class control of how much info gets sent to LogCat, as well as a global on/off switch that will help keep prying eyes out of our logs.

Anyways, hope that helps

Video from DefCon (need to login/download):
http://vimeo.com/14980971

(Thanks much to R. from Slashdot for pointing me towards this)