The App logs information. Sensitive information should never be logged.

Applications can send information to log output using the android.util.Log class

To log output :

The android.util.Log class allows a number of possibilities:

Log.d (Debug)

Log.e (Error)

Log.i (Info)

Log.v (Verbose)

Log.w (Warn)


Applications should make sure that they do not send sensitive information to log output. If the app includes a third party library, the developer should make sure that the library does not send sensitive information to log output.

One common solution is for an application to declare and use a custom log class, so that log output is automatically turned on/off based on Debug/Release. Developers can use ProGuard to delete specific method calls. This assumes that the method contains no side effects.


https://wiki.sei.cmu.edu/confluence/display/android/DRD04J.+Do+not+log+sensitive+information

https://wiki.sei.cmu.edu/confluence/display/java/FIO13J.+Do+not+log+sensitive+information+outside+a+trust+boundary

https://stackoverflow.com/questions/5553146/disable-logcat-output-completely-in-release-android-app

https://medium.com/@trionkidnapper/stripping-log-statements-using-proguard-73dedc68ee97

https://stackoverflow.com/questions/4199563/android-util-log-when-publishing-what-can-i-do-not-do




>

https://wiki.sei.cmu.edu/confluence/display/android/DRD04-J.+Do+not+log+sensitive+information