Shared publicly  - 
 
There's a story making the rounds today that Apple stores passwords in the clear when whole-disk encryption is enabled (http://mashable.com/2012/05/07/os-x-lion-flaw-passwords/). This is an absolutely bone-headed mistake, but we shouldn't gloat about it. We should treat this as an opportunity to look at our own systems and make sure we're not doing equally stupid things.

Too many Android apps write sensitive data to log files, and too many apps request permission to read those log files. I'm looking at you, Evernote, Netflix, DoubleTwist, Slacker Radio, Rdio, Amazon MP3, etc.

At Defcon 18, researchers showed that if your app has READ_LOGS permission, you effectively own the device, since you can read any apps' logs, not just your own.
Video: http://vimeo.com/14980971
Slides: https://www.defcon.org/images/defcon-18/dc-18-presentations/Lineberry/DEFCON-18-Lineberry-Not-The-Permissions-You-Are-Looking-For.pdf (see slides 42 - 71)

So, stop logging sensitive information and stop requesting READ_LOGS permission.
 
Here's another screenshot of an Android app that is leaking pretty much ALL of its users data (including cleartext password).

I have written, ranted, tweeted,... so many times about the dangers of logging http requests/responses and yet people still keep doing it.

What is wrong with this world? Y U NO care for your user data?
1
Derek Morr's profile photoMark Boltz-Robinson's profile photo
3 comments
 
To clarify, the issue is actually with directory-based old-school FileVault, not FileVault 2 (the whole disk encryption). I only use full disk on every drive on every system, including all the externals.
 
Right. My point was really about logging sensitive information.

But it looks like Apple knew about this issue at least three months ago. Why didn't they fix it, and how long will we have to wait before they release a fix?
 
A good and fair set of questions. And I agree, the larger issue is of logging, transmitting, and sharing sensitive information across apps and OS, etc. All systems in the modern day seem to be having these issues; while still maintaining old school issues like buffer overflows.
Add a comment...