This Fall, the security company Lookout Mobile discovered that developers were writing some pretting interesting things to LogCat and they talked about their findings at DefCon.

While, as a dev, you should try to never put sensitive information in your logs, you can use this system to turn off logging in your releases.

At the beginning of each of my classes I have:



public class MyClass
{
// Debugging
private static final String TAG = "MyClass";
private static final boolean GLOBAL_DEBUG = DebugMode.MODE;
private static final boolean LOCAL_DEBUG = true;
private static final boolean D = ( GLOBAL_DEBUG && LOCAL_DEBUG );

Notice the DebugMode.MODE is a separate class, and it's a pretty simple one:



public class DebugMode
{
public static final boolean MODE = true;
}
Anyways, then, when I want to put something in LogCat I write


if (D) Log.d ( TAG, "something interesting happened");Finally, when I'm ready to release, I only have to change the DebugMode class to:



public class DebugMode
{
public static final boolean MODE = false;
}
And voila! We now have both fine-grained, per-class control of how much info gets sent to LogCat, as well as a global on/off switch that will help keep prying eyes out of our logs.

Anyways, hope that helps

Video from DefCon (need to login/download):
http://vimeo.com/14980971

:)


This was also originally posted on my website:
http://alostpacket.com/2011/02/06/security-tip-for-devs-using-logcat/

thanx for the tip :)

You're welcome, hope that helps some people :)

you should check out the video when you get a chance, it's an eye opener.