bug: Filesystem.writeFile logs full file content to the Android logcat

[kirillgroshkov]

Bug Report

Capacitor Version

Latest Dependencies:

  @capacitor/cli: 2.4.7
  @capacitor/core: 2.4.7
  @capacitor/android: 2.4.7
  @capacitor/electron: 2.4.7
  @capacitor/ios: 2.4.7

Installed Dependencies:

  @capacitor/cli 2.4.7
  @capacitor/ios 2.4.7
  @capacitor/android 2.4.7
  @capacitor/core 2.4.7
  @capacitor/electron not installed

Platform(s)

Android

Current Behavior

We have got a report from a security researcher, who pointed out that Capacitor by default logs full file content of a file that is saved via its Filesystem plugin. E.g we call Filesystem.writeFile in our code, saving state.json (which is a Redux state).

Full content of the saved file is then visible in Android logs via logcat, example/screenshot:

Providing a second screenshot where it's seen that it is logged not "from the Filesystem plugin code", but from some generic code that logs generic Plugin input/output (possibly in the V verbose level):

Expected Behavior

We expect to be able to disable this automatic logging functionality via some flag/setting, as it can leak some PII/sensitive data to someone who has access to logcat.

[kirillgroshkov]

Actually, I just found a hideLogs option documented there: https://capacitorjs.com/docs/v3/config

There's a chance that it will help, but need to try first.

[jcesarmobile]

Yeah, hideLogs will prevent those messages from appearing on logcat.

FYI, in capacitor 3 hideLogs is being deprecated, there will be an alternative way, check #4416

[ionitron-bot]

Thanks for the issue! This issue is being locked to prevent comments that are not relevant to the original issue. If this is still an issue with the latest version of Capacitor, please create a new issue and ensure the template is fully filled out.