Skip to main content

Damn Vulnerable Android Application by Security Compass - Lab 4 Secure Logging

Lab 4 Secure Logging

Welcome back friends, Today we're gonna have a look on lab 4 Secure Logging from Damn Vulnerable Android Application by Security Compass series.

Some times developers log the info about application to the android log, this some times contains sensitive information of an application.

So in this lab we are gonna test this flaw on the vulnerable app, for this we have use adb logcat.


Now after starting the logcat we have to browse through the app or have to make some activity like fund transfer etc. and then we need to check the logs for some sensitive info.

We juz tried to check the account balance.


and we got this in logs


After this we tried for fund transfer





We got this in Logs


Solution:

Developer should be very carefull about what he is logging about the app. He should refrain from logging any sensitive information like session keys etc.

Comments

  1. Yasmeen Yas7 July 2020 at 19:27

    I really appreciate this post and I like this very much. I am waiting for new post here and Please keep it up in future..
    Software Testing Services
    QA Testing Services
    Software Testing Services in USA
    Software Testing Companies in USA
    Software Testing Company
    Software Testing and Quality Assurance
    QA Testing Companies
    Independent Software Testing Companies in USA
    Independent Software Testing Services
    Software Testing Companies in India
    Software Testing Companies in Dubai
    Functional Testing Services
    QA Software Testing Services
    QA Testing Companies in USA

    ReplyDelete
  2. Yasmeen Yas27 August 2020 at 07:06

    Awesome article, it was exceptionally helpful! I simply began in this and I'm becoming more acquainted with it better! Cheers, keep doing awesome!
    Software Testing Services
    Software Testing Services in India
    Software Testing Companies in India
    Software Testing Services in USA
    Software Testing Companies in USA
    Software Testing Companies
    Software Testing Services Company
    Functional and non functional testing

    ReplyDelete
  3. radleejaey3 March 2022 at 16:10

    Casinos Near Casinos Near Casinos Near Me in Las Vegas, NV
    A map showing casinos and 삼척 출장샵 other gaming 전라남도 출장샵 facilities located 영주 출장샵 near Casinos Las Vegas, 목포 출장샵 NV, from Mapyro, 춘천 출장샵 guide to casinos and travel sites,

    ReplyDelete
  4. Clove HR21 October 2025 at 05:49

    A future-ready Human Resource Management Software solution that harmonizes people processes with business strategy. From recruitment analytics to career development plans, HR teams can align skills with demand. Payroll Management Software handles payroll runs, tax withholdings, and benefits integration with precision. The platform’s AI-driven insights identify retention risks and training opportunities, enabling targeted interventions that boost engagement, productivity, and organizational resilience.

    ReplyDelete
  5. Devstringx22 October 2025 at 02:41

    Focused on scalable quality, DevstringX Technologies offers comprehensive testing programs that adapt to evolving project needs. Their engineers implement robust automation, cross-platform validation, and security assessments to safeguard applications from early stages through production. Clients benefit from proactive risk mitigation, fast feedback loops, and clear collaboration across teams. DevstringX Technologies consistently delivers predictable outcomes, helping enterprises achieve higher user satisfaction and stronger market confidence. Software Testing Services in India

    ReplyDelete

Post a Comment

Popular posts from this blog

Android Damn Vulnerable App by Security Compass

Tutorial of Android Damn Vulnerable App by Security Compass Introduction: Hi folks, today I am gonna show you some hands on or tutorial of the android app testing which I done during my R&D of android app security testing. Here I will show you from scratch setting up of Lab Server to testing of application. In this you will learn on below topics: 1)Insecure Connection (Traffic over HTTP) 2)Server Side Authorization Issue 3)Insecure File Storage 4)Insecure Logging 5)Encryption of data on device 6)Memory Protection Setting-up of lab (App & Server) First of all you have to download the base app which is damn vulnerable from here . After downloading zip and extracting it you have to build it in .apk format using Eclipse IDE. Now you have to install the app in the emulator before that you have to make sure that you installed SDK and its packages. To install the app you have to start emulator using AVD and clicking on "Start" or by command line emul...
25 comments
Read more

Drozer Commands - A Security & Attack Framework for Android

What is Drozer? Drozer is a Security & Attack Framework for Android Application Testing. Drozer is a tool that can be used for Mobile device review , Secure development of applications, BYOD approval and Mobile application testing. There are 2 Versions of Drozer an Open Source and other one Pro version having following features Gathering the information about the application Find the attack surface Test your Exposure to Public Exploits Execute dynamic code on a device, to avoid the need to compile and install small test scripts. Start Android emulators, provisioned with the drozer Agent and the app you want to investigate. Simulate sensor input, such as GPS, to emulators to test the full attack surface. View the attack surface as a graph. this will be helpful for the risk assessment reporting. Drozer is having agent & server architecture so to start with assessment we have to install the agent in the emulator or connected device. Command to install the Dr...
6 comments
Read more

Damn Vulnerable Android Application by Security Compass - Lab 6 Advanced Encryption

Lab 6 Advanced Encryption  Today we are going to see the solution of basic encryption post in that no encryption was used for sensitive info. The solution is implementing the encryption and that we will try to bypass the encryption implementation as some times the developers store the hardcoded encryption key in the app itself. For this you need to install the BasicEncryptionSolution.apk. Now start this app and configure the credentials.   Now app is configured and credentials are also stored as per design in preferences.xml but I am expecting some sort of encryption now as we have installed solution for this flaw. Browse to the /data/data/com.securitycompass.androidlabs.basicencryptionsolution/shared_prefs as you can see that all the credentials are encrypted. So now we go and disassemble the app and try to figure out is there any key hardcoded key in the app. You can disassemble the app by using EasyApkDisassembler to...
9 comments
Read more