There's a story making the rounds today that Apple stores passwords in the clear when whole-disk encryption is enabled ( This is an absolutely bone-headed mistake, but we shouldn't gloat about it. We should treat this as an opportunity to look at our own systems and make sure we're not doing equally stupid things.

Too many Android apps write sensitive data to log files, and too many apps request permission to read those log files. I'm looking at you, Evernote, Netflix, DoubleTwist, Slacker Radio, Rdio, Amazon MP3, etc.

At Defcon 18, researchers showed that if your app has READ_LOGS permission, you effectively own the device, since you can read any apps' logs, not just your own.
Slides: (see slides 42 - 71)

So, stop logging sensitive information and stop requesting READ_LOGS permission.
Here's another screenshot of an Android app that is leaking pretty much ALL of its users data (including cleartext password).

I have written, ranted, tweeted,... so many times about the dangers of logging http requests/responses and yet people still keep doing it.

What is wrong with this world? Y U NO care for your user data?
Shared publiclyView activity