Solved

log spew & security issues


Phokus from team eos development here.

Please do something about the data contained in the logs and perhaps consider truncating some of the data placed into those logs (logcat). Viewing logs is amassive security problem in android right now and there are pwd hashes in said logs.
icon

Best answer by JimM 17 May 2012, 20:52

View original

3 replies

Userlevel 7
Hello,
 
Welcome to the forum!
 
You cannot actually do anything nefarious with a password hash.  A hash is not the password itself.  We require a strong password on top of the fact that it's hashed.  It's not decryptable without knowing the key.  You could try brute-forcing it, but since it has to be a strong password to begin with, you won't get anywhere with that anyway.  Decrypting an MD5 password hash manually is no easy feat and is near-impossible if the password is any good to begin with.  Now if it was not a strong password to begin with, it's sometimes possible to match it up to a known hash using some online databases, but again we don't allow for weak passwords.
 
The logs are only viewable by whoever you email them to, which should typically just be support (or yourself if you're curious what's in them).
 
Regarding log-spying being a security problem, Webroot already protects you from spyware on your mobile device.  So if you are concerned about someone other than you snooping around on your device to see what you're doing, you can rest assured that we already protect against that.
Hi Jim,

Thanks for the welcome and quick thorough response!

I was just passing the info along as quickly as it was discovered so pardon the red flag. I myself am a security engineer and am comfortable with the protection after doing some research! :)

The only issue that we have at this point really is just the large amount of data going into the logcat. It's difficult sifting through the logs as every item scanned receives an entry. It is becoming necessary to disable protection when debugging unrelated issues or asking our users to reproduce defects. Perhaps a separate scan log could be written?
Userlevel 7
Original post: 5/11/12
 
The good news is that I was able to bring up this issue today with product leadership, so it is now on their radar.
 
The not so good news is that we don't have a lot of requests for this feature yet.
 
What I would suggest doing next is creating an idea for your request here.  In doing so, your request will be easier to track.  If other customers have the same idea, they can kudo your idea, which gives it a greater degree of visibility.  If enough customers kudo an idea, we are more likely to implement it. 
 
I think it's a good request too, and you'll get one kudo from me.  :)
 
Update: 5/17/12
 
I have good news.  Development has decided to go ahead and cut down on the log chatter.  This will ultimately be resolved in a future build.  I don't have a set date for that just yet, but it's being worked on.

Reply