Hi,
I wanted to post this subject on android-security-discuss
<https://groups.google.com/forum/#!forum/android-security-discuss> but it
looks like I don't have enough privileges to post there.
In my application I had to use a copy of GLSurfaceView.java from Android
SDK API 10.
The application was scanned using Veracode security scanner and it reported
a security issue for GLSurfaceView.java at line 1525 which is:
1523 | private void flushBuilder() {
1524 | if (mBuilder.length() > 0) {
1525 | Log.v("GLSurfaceView", mBuilder.toString());
1526 | mBuilder.delete(0, mBuilder.length());
1527 | }
1528 | }
The flaw is described as "Improper Output Neutralization for Logs" which
could allow an attacker to forge log entries or inject malicious content
into log files which in turn could be used to cover an attacker's tracks or
as be used as a a delivery mechanism for an attack on a log viewing or
processing utility.
I've tired to understand how this log is used to check if this is false
positive and I've ended up in GLLogWrapper.java where the buffer for log is
filled. From first sight it looks like only sane log entries could be
introduced, but I'm not sure if it couldn't get custom attacker's entries
if it would be executed on a device with custom OpenGL driver prepared by
the attacker.
I'm wondering if this is a false positive or a potential risk?
--
You received this message because you are subscribed to the Google Groups
"Android Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/android-developers.
To view this discussion on the web visit
https://groups.google.com/d/msgid/android-developers/ea21154c-ddb4-44d2-b702-7e1afbbb9e68%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
