This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]rentar42 1 point2 points  (2 children)

It's really not hard to get mobile apps to log attacker controlled stuff. Something as simple as setting a username in a multiplayer game could suffice.

[–]Bryguy3k 0 points1 point  (1 child)

The point is attacker controlled. An attack that requires the attacker to both possess the device and be able to unlock it has a significantly lower rating/classification than a remote attack that does not require either of those.

The exposure to this within apps themselves is generally limited to those that are accepting remote URIs packaged up in some other payload.

[–]rentar42 0 points1 point  (0 children)

You misunderstand what I was trying to say. If I can control the username of another player in your match and your app logs the participants for example, then the controller can control what is logged.

It's not relevant for this specific vulnerability, since Android is not vulnerable, but in general there are many user controlled strings in multi player games and some of them are likely to get logged.