Be Careful What You Write, Someone Might Read It: Logging Personally Identifiable Information on Android
Date
2023-01-03
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
The Android Operating System provides a central, shared logging system that multiplexes messages from all of the various components including the operating system and all of the apps that run on it. A permission system exists that prevents these log messages from being read by processes other than the one that created them; however, there is an exception to this restriction for a privileged class of apps. This includes preinstalled system apps provided by Google, the manufacturer of the device, or the mobile network operator. As a consequence of this exception, Google admonishes developers that for privacy reasons they must refrain from logging personal or sensitive information to the system log.
In this thesis, we examine the pervasive logging of Personally Identifiable Information (PII) throughout the Android ecosystem. With local lab experiments we show that freshly reset phones log PII---every phone we tested logged multiple identifiers. Then, through a field study we show that this logging is pervasive in the wild with PII being detected in the logs of 94.1% of the devices in our dataset which represented all of the observed manufacturers. We statically analyze the Android Open Source Project (AOSP) source code to identify the origin of some of the observed excessive logging and are able to attribute log entries to specific parts of the code and find that Google itself does not follow its own specific advice to not log sensitive data and more generally to remove debug logging from release software. Finally, we analyze the privacy policies of major cell-phone manufacturers and find that some report that they may collect these logs.
Description
Keywords
Privacy, Mobile Privacy, Mobile Systems Security
Citation
Lyons, A. (2023). Be Careful What You Write, Someone Might Read It: Logging Personally Identifiable Information on Android (Master's thesis, University of Calgary, Calgary, Canada). Retrieved from https://prism.ucalgary.ca.