I’m aiming to publish my app in Google and Apple stores. One of the Google Play security tests (SC-10 in the developers guide) is to use Logcat to seek for app sensitive data leaking in the logs.
I notice that applying the query “Auth:D *:S” results in the following informations appearing during login in my app:
I was in doubt if this is a security vulnerability or I need to concern about it. In my experience, having tokens, UIDs or private data appearing like that is a problem.
I will be glad if someone could answer that, not just for me, but for others planning to publish or caring about security. Thanks!
I think it is not a security vulnerability because it only shows uid and email not password. These informations are already shown in Chrome developer console. It is not sth to someone knows the email address of your app user. idToken is important here.
I suggest you to use Firebase App Check in your apps. With reCaptcha and App Check Firebase accepts requests only from your app.
And also change idToken with refresh token periodically at specific time.
It’s true that password is not shown, but uid, email and others metadata still are private informations, mo one should see without user permission. The Composer, as far I know, doesn’t have tools to control this behavior.
Despite that, thanks for suggesting the Firebase Apps Check. I read about and I think it should help prevent attacks.
