Help get this topic noticed by sharing it on Twitter, Facebook, or email.

Android application displays Pocket password in plaintext on LogCat.

I was looking at LogCat entries to fix an unrelated issue and I noticed the following type of messages that were emitted onto LogCat:

11-30 12:35:22.460 I/main.br (3364): ONAPPEVENT({ "feedly_local_tracker.1.0/event/personalization.signup/once":"yes", "feedly_fb_guest_token":"", "device_type":"phone", "feedly_local_tracker.1.0/event/personalization.install/once":"yes", "feedly_pocket_user":"", "type":"userSettings", "feedly_widget_refresh_interval":"600", "device_os":"android", "feedly_local_session":"{\"type\":\"login\", \"userEmail\":\"\", \"auth\":\"XXXX\", \"when\":\"Wed Nov 21 2012 13:02:37 GMT-0500 (EST)\", \"userId\":\"\", \"userName\":\"\", \"userProfileId\":\"\", \"isBloggerUser\":true, \"signupTimeSec\":1222830808, \"publicUserName\":\"PUBLIC_NAME>\", \"isMultiLoginEnabled\":true}", "device_os_level":16, "feedly_local_rateMe.time.v11":1355126355199, "feedly_local_tracker.1.0/event/personalization.askSignup/once":"yes", "feedly_start":"today", "feedly_local_firstCategory":"", "feedly_local_firstrun.welcome.v10":2, "feedly_mark_as_read":true, "device_density":2, "device_width":720, "feedly_fb_guest_expires":1, "display_height":567, "device_height":1184, "bitly_api_key":"BITLY_API_KEY>", "feedly_app_version":"10.10", "device_os_version":"4.1.2", "device_scaledTouchSlop":16, "screen_width":360, "bitly_user":"feedly", "feedly_font":"soho", "display_width":360, "feedly_local_swipeDownTooltip.v1":"done", "screen_diagonal":4.36, "feedly_font_size":"medium", "device_touchSlop":8, "feedly_local_auth":"", "feedly_theme":"white", "feedly_local_tracker.1.0/setCustomVars/once":"yes", "screen_height":592, "feedly_pocket_password":"POCKET_PASSWORD"})

The capitalized fields have been scrubbed manually by me because they reveal things like my email address and full name and API keys. The troublesome part is the capitalized text at the end, wherein the user's Pocket password is displayed directly in plaintext. Is this a privacy concern? It's to my understanding that in Android 4.1 and above, an application cannot read another's logs (I was using CatLog with su privileges to get this), but on older phones the Main log data (and therefore the password) is clearly accessible to any application.
2 people have
this problem
+1
Reply