HistoryService Leaks Plaintext to Android System Log
- Ring version: 2019-08-24-01
- Device model: Samsung Tablet S2
- Android version: 8.1 / LineageOS 15.1-20190228
- Jami-Version from F-droid
Steps to reproduce
- Can you reproduce the bug: at will
- Start texting with some contact. 2. View Jami-related log messages in (e.g.) Android OS Monitor
- Actual result: Chat plaintext messages are piped through to the Android logging by HistoryService HistoryDao().update()
- Expected result: Communication data shall only be stored within an encrypted storage of the Jami software itself. Android has enough corners to hide confidential content from device owners so it is important to minimise the extent of information being tossed all over the place.
Yes, OS Monitor (and other log viewers) require root access. And Android is no multi-user system. But unintended data creep can become problematic and difficult to track.
For debugging such a log mechanism is essential. A better design would have a Jami log isolated from the rest of Android which could be guarded accordingly. With an export function that filters sensitive information prior to storing to (e.g.) file more bug reports would probably be enhanced with a related log. Speaking of debugging: All debug functions should have a single (global) kill-switch which is off by default. In case of problems a user could enable debug mode and provide her details accordingly. Debug mode should be very obvious at the GUI-level. Such a design would make Jami faster for the average user because the debug-burden is off-loaded in general but available when necessary.