The “Proximity Notification” are logged in clear text in the logcat
The following bug report has been received through the YesWeHack private bugbounty phase.
Acknowledgements: Baptiste Robert
Related: #10 (closed)
A big effort has been made by the app developers to encrypt all the proximity notification info on the file storage. However, in the BleProximityNotification class, they forgot to remove a log which lead to the disclosure of proximity notification info in clear text in the logcat.
private fun notifyProximity(proximityInfo: ProximityInfo) {
Log.d(TAG, "Proximity notification (proximityInfo=$proximityInfo")
callback.onProximity(proximityInfo)
}
While using the app, use the following command:
$ adb logcat -v time | grep 11662
05-27 02:19:56.644 D/BleProximityNotification(11662): Proximity notification (proximityInfo=ProximityInfo(payload=ProximityPayload(data=[54, 37, -117, -108, 68, 82, 84, 9, -26, 48, -109, 86, 20, -16, -107, 53]), timestamp=Wed May 27 02:19:56 GMT+02:00 2020, metadata=BleProximityMetadata(rawRssi=-42, calibratedRssi=-46, txPowerLevel=6))
05-27 02:20:00.517 D/BleAdvertiserImpl(11662): Stopping Advertising
05-27 02:20:00.567 D/BleAdvertiserImpl(11662): Starting Advertising
05-27 02:20:00.568 D/BluetoothAdapter(11662): isLeEnabled(): ON
05-27 02:20:00.570 D/BluetoothAdapter(11662): isLeEnabled(): ON
05-27 02:20:00.598 D/BleAdvertiserImpl(11662): Advertising successfully started
05-27 02:20:01.672 D/BleScannerImpl(11662): onBatchScanResults results = [ScanResult{device=4E:59:72:5F:B3:20, scanRecord=ScanRecord [advertiseFlags=26, serviceUuids=null, manufacturerSpecificData={76=[1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]}, serviceData=null, txPowerLevel=8, deviceName=null], rssi=-37, timestampNanos=36769007853447, eventType=17, primaryPhy=1, secondaryPhy=0, advertisingSid=255, txPower=127, periodicAdvertisingInterval=0}]
05-27 02:20:01.675 D/BleProximityNotification(11662): Proximity notification (proximityInfo=ProximityInfo(payload=ProximityPayload(data=[54, 37, -117, -108, 68, 82, 84, 9, -26, 48, -109, 86, 20, -16, -107, 53]), timestamp=Wed May 27 02:20:01 GMT+02:00 2020, metadata=BleProximityMetadata(rawRssi=-37, calibratedRssi=-41, txPowerLevel=6))
05-27 02:20:04.028 D/BluetoothGattServer(11662): onServerConnectionState() - status=0 serverIf=6 device=4E:59:72:5F:B3:20
05-27 02:20:04.260 D/BluetoothGattServer(11662): onMtuChanged() - device=4E:59:72:5F:B3:20, mtu=517
05-27 02:20:04.741 D/BleGattManagerImpl(11662): onCharacteristicWriteRequest device=4E:59:72:5F:B3:20, characteristic=d61f4f27-3d6b-4b04-9e46-c9d2ea617f62
05-27 02:20:04.743 D/BleGattManagerImpl(11662): onCharacteristicWriteRequest result=0 device=4E:59:72:5F:B3:20 requestId=2 characteristic=d61f4f27-3d6b-4b04-9e46-c9d2ea617f62 preparedWrite=false responseNeeded=true offset=0 value=[B@c1cc88e
05-27 02:20:04.745 D/BleProximityNotification(11662): Proximity notification (proximityInfo=ProximityInfo(payload=ProximityPayload(data=[54, 37, -117, -108, 68, 82, 84, 9, -26, 48, -76, 115, -85, -122, 103, 6]), timestamp=Wed May 27 02:20:01 GMT+02:00 2020, metadata=BleProximityMetadata(rawRssi=-37, calibratedRssi=-41, txPowerLevel=6))
05-27 02:20:04.921 D/BluetoothGattServer(11662): onServerConnectionState() - status=0 serverIf=6 device=4E:59:72:5F:B3:20
05-27 02:20:06.691 D/BleScannerImpl(11662): onBatchScanResults results = []
05-27 02:20:11.717 D/BleScannerImpl(11662): onBatchScanResults results = [ScanResult{device=4E:59:72:5F:B3:20, scanRecord=ScanRecord [advertiseFlags=26, serviceUuids=null, manufacturerSpecificData={76=[1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]}, serviceData=null, txPowerLevel=8, deviceName=null], rssi=-38, timestampNanos=36778104281268, eventType=17, primaryPhy=1, secondaryPhy=0, advertisingSid=255, txPower=127, periodicAdvertisingInterval=0}]
05-27 02:20:11.720 D/BleProximityNotification(11662): Proximity notification (proximityInfo=ProximityInfo(payload=ProximityPayload(data=[54, 37, -117, -108, 68, 82, 84, 9, -26, 48, -76, 115, -85, -122, 103, 6]), timestamp=Wed May 27 02:20:11 GMT+02:00 2020, metadata=BleProximityMetadata(rawRssi=-38, calibratedRssi=-42, txPowerLevel=6))
As you can notice the proximity notification with the proximity payload is available. As discussed in this ticket https://stackoverflow.com/questions/17977145/read-logs-from-all-apps-on-android-from-within-an-app-for-android-4-2, a third party app can read the logcat in two situations:
If the device is rooted. As there is no anti root mechanism implemented in the app, this is a valid situation here If you device is below JellyBean