Android application displays Pocket password in plaintext on LogCat.

  • Problem
  • Updated 2 years ago
I was looking at LogCat entries to fix an unrelated issue and I noticed the following type of messages that were emitted onto LogCat:

11-30 12:35:22.460 I/main.br (3364): ONAPPEVENT({ "feedly_local_tracker.1.0/event/personalization.signup/once":"yes", "feedly_fb_guest_token":"", "device_type":"phone", "feedly_local_tracker.1.0/event/personalization.install/once":"yes", "feedly_pocket_user":"", "type":"userSettings", "feedly_widget_refresh_interval":"600", "device_os":"android", "feedly_local_session":"{\"type\":\"login\", \"userEmail\":\"\", \"auth\":\"XXXX\", \"when\":\"Wed Nov 21 2012 13:02:37 GMT-0500 (EST)\", \"userId\":\"\", \"userName\":\"\", \"userProfileId\":\"\", \"isBloggerUser\":true, \"signupTimeSec\":1222830808, \"publicUserName\":\"PUBLIC_NAME>\", \"isMultiLoginEnabled\":true}", "device_os_level":16, "feedly_local_rateMe.time.v11":1355126355199, "feedly_local_tracker.1.0/event/personalization.askSignup/once":"yes", "feedly_start":"today", "feedly_local_firstCategory":"", "feedly_local_firstrun.welcome.v10":2, "feedly_mark_as_read":true, "device_density":2, "device_width":720, "feedly_fb_guest_expires":1, "display_height":567, "device_height":1184, "bitly_api_key":"BITLY_API_KEY>", "feedly_app_version":"10.10", "device_os_version":"4.1.2", "device_scaledTouchSlop":16, "screen_width":360, "bitly_user":"feedly", "feedly_font":"soho", "display_width":360, "feedly_local_swipeDownTooltip.v1":"done", "screen_diagonal":4.36, "feedly_font_size":"medium", "device_touchSlop":8, "feedly_local_auth":"", "feedly_theme":"white", "feedly_local_tracker.1.0/setCustomVars/once":"yes", "screen_height":592, "feedly_pocket_password":"POCKET_PASSWORD"})

The capitalized fields have been scrubbed manually by me because they reveal things like my email address and full name and API keys. The troublesome part is the capitalized text at the end, wherein the user's Pocket password is displayed directly in plaintext. Is this a privacy concern? It's to my understanding that in Android 4.1 and above, an application cannot read another's logs (I was using CatLog with su privileges to get this), but on older phones the Main log data (and therefore the password) is clearly accessible to any application.
Photo of ajay.roopakaluA

ajay.roopakalu

  • 1 Post
  • 0 Reply Likes

Posted 2 years ago

  • 2
Photo of edwk

edwk, Official Rep

  • 5761 Posts
  • 646 Reply Likes
This debug logging message should only printed in debug mode. Are you running a feedly beta version? (I will talk to the Dev team toake sure that they are remove even on debug mode)
Photo of edwk

edwk, Official Rep

  • 5761 Posts
  • 646 Reply Likes
We did a code review and it seems that one of the debug log message we used during the beta to troubleshoot a preference issue fell through the cracks and was not removed in the production build. We will push an update next week which will remove this logging. Sorry for the inconvenience and thanks for the heads up.