4

I found several places on Internet where they mention that using the method 

Throwable.printStackTrace()

in your Android application poses a security risk (and that is also bad coding practice.) I would like to understand why is it a security risk? What could an attacker do using the information provided by

e.printStackTrace();

where e is of type Exception, for instance?

Monica Marcus
  • 187
  • 2
  • 10
  • 2
    "I found several places on Internet" -- then please consider providing links to these places. – CommonsWare Apr 09 '15 at 18:50
  • See for example item 1 in the question at http://stackoverflow.com/questions/7469316/why-is-exception-printstacktrace-considered-bad-practice and the 2nd answer. – Monica Marcus Apr 09 '15 at 18:57
  • That does not say that `printStackTrace()` "poses a security risk". It says that "showing a stack trace to end-user might introduce a potential security risk". Users cannot see stack traces on Android 4.1+ without the development tools, and if they can use those, there are plenty of other things that they can do to the app that have nothing to do with stack traces. – CommonsWare Apr 09 '15 at 19:07
  • Yes, then let me ask: why does "showing a stack trace to end-user might introduce a potential security risk"? Attackers are in many cases developers too, so they do know how to use development tools. I am not asking a general question, I ask it specifically about using printStackTrace. – Monica Marcus Apr 09 '15 at 19:13
  • I do not agree with the assessment that "showing a stack trace to end-user might introduce a potential security risk" in a client-side program. I am merely quoting the answer that you cited. In a server-side program, showing a stack trace to the user (e.g., in a Web page) may introduce security risks, as the attacker there cannot work with the program directly, and therefore is limited to attacks over HTTP, etc. The stack trace will disclose information that the attacker would otherwise not have access to. On the client, the attacker can get at whatever they want. – CommonsWare Apr 09 '15 at 19:16
  • I refer to Android applications in my question. There are several methods (code obfuscation, encryption, for example) to try to prevent attacks. So It is not true that the attacker can get at whatever they want. – Monica Marcus Apr 09 '15 at 19:21
  • "So It is not true that the attacker can get at whatever they want" -- first, that depends on your attacker. I have talked with security researchers who indicate that ProGuard-level code obfuscation is not a major impediment. Second, that depends upon your app. Few apps attempt to use some sort of encryption to defend code assets, for example. – CommonsWare Apr 09 '15 at 19:29
  • Few or many, there are serious application (what about your banking apps?) that use very sofisticated methods (including encryption) to make their application as secure as possible. So my question still stands... – Monica Marcus Apr 09 '15 at 19:44
  • @CommonsWare Why do they think that ProGuard-level code obfuscation is not a major impediment? – Gaurav Nov 04 '19 at 07:07

2 Answers2

1

Well , as a developer you will never want the end user to understand what is happening at the back of your application. Following points I can think of right now.

  • A stack trace should never be visibile to end users

  • Generating a stack trace is a relatively tedious process

  • Many logging frameworks are available for that

  • Printing the stack trace does not constitute error handling. It should be combined with other information logging and exception handling.

I have used the same link to answer your question as both are related!

Keshav
  • 1,123
  • 1
  • 18
  • 36
  • Thank you for your effort, but regarding the first item in your list I still have the question. – Monica Marcus Apr 09 '15 at 19:02
  • Actually why would you show a stack trace to the end users? If you want to log information in case of an issue - most crash reporting tools (Crashlytics for example) let you do that anyway. Alternatively if you want to give end user some explanation - a text message + error code seems like a better solution to me (since most users won't understand what the stack trace means). I'm not saying showing stack trace is a huge vulnerability, it just seems like a suboptimal thing to do. – Samuil Yanovski Apr 09 '15 at 19:46
  • Yes, I agree, but what if you forget about a printStackTrace in your Android code? And the app might indeed crash and show the stack trace. What bad things could an attacker do with this information? I mean, in any case somebody can reverse engineer the app and then they can make it crash. – Monica Marcus Apr 09 '15 at 19:59
  • yes and it is not a good practice to leave stack trace visible. It is generally for developers to look into if it crashes and not for end users. – Keshav Apr 09 '15 at 20:05
  • Generally I see it like this - stack traces could show something which is otherwise difficult to find. What an attacker could do with this info is up to him (and the specifics of the application). But the fact is that showing him the stack trace makes his life easier - whether it would make his life easy enough to crash the application or not is a different question. I don't expect him to get something mind boggling as a result, but he could notice some coding patterns you use, or libraries you've included and thus infer some weaknesses your application might have. – Samuil Yanovski Apr 09 '15 at 20:13
  • Thank you @SamuilYanovski. Your answer does help me somehow. Yet, if anybody could come up with something more specific, I would really appreciate it. No, I don't intend to try break/crash a certain app :) I just need to explain the answer to my question as best as possible. – Monica Marcus Apr 09 '15 at 20:35
  • Sorry for my English, I meant to write "as well as possible" instead of "as best as possible". – Monica Marcus Apr 09 '15 at 20:57
1

An attacker can already download your APK:
see: https://github.com/Lekensteyn/apk-downloader

and decompile it to get source code:
see: Is there a way to get the source code from an APK file?

So if a security feature relies on an attacker not knowing how your code works, you have bad security.

"System security should not depend on the secrecy of the implementation or its components." - https://en.wikipedia.org/wiki/Security_through_obscurity

Hiding a stacktrace is not an effective security measure.

Community
  • 1
  • 1
Mark Bolusmjak
  • 23,606
  • 10
  • 74
  • 129
  • 1
    If I understand your answer well, I would say that hiding a stack trace is not enough, but it is better to hide it because it makes life more difficult for the attacker. Even if the attacker can decompile the apk file and get the source code it is still not easy to understand how the code works, especially if the source code is obfuscated. – Monica Marcus Jun 22 '15 at 17:51
  • 1
    This is like saying, if you jump out of a plane without a parachute, it's safer not to smoke a cigarette because it's bad for you. That's kind of valid, but it misses the point that you'll be dead before it matters. So hiding a stacktrace is like not having that cigarette. Maybe you're a bit better off, but not for long. – Mark Bolusmjak Jun 22 '15 at 18:09