Logging of Sensitive Information in Gigaset elements App

Report ID



  • Vendor: Gigaset elements GmbH
  • Product: Gigaset elements
  • Affected Version: Platform build version name 6.0-2704002
  • Severity: medium
  • Short summary: The Android Gigaset Smarthome elements apps leaks several sensitive and critical information to the log console.


The Android app named “Gigaset elements” logs different pieces of sensitive user information. The information is written to the log buffer and can be read out through adb logcat. The information contains the user credentials (username/password) for the Gigaset smarthome login. Furthermore, different
communication details like requested URLs, session ids, user tokens or device and system configuration data are logged.
User credentials:
The user’s credentials can be extracted, because the class ObfusString and other classes (whose names are obfuscated in the app’s code) write the credentials to the log output, both in plaintext and in encrypted form.

Log.d("OBF", "@:" + arg8);

Logcat credentials output:

D/Preferences(18097): GET: [keyUserNameX] ? 'null' => '6/TrCCvyYZL93LPZI/KXS2+/x5hxK/SH'
D/OBF (18097): #:6/TrCCvyYZL93LPZI/KXS2+/x5hxK/SH <== username encrypted
D/OBF (18097):  'lOca3CgiYHOyza4PCeF7gg=='
D/OBF (18097): #:lOca3CgiYHOyza4PCeF7gg== <== password encrypted
D/OBF (18097): @:aaaaaaaa <== password in plaintext

Log output of authorization information:

D/Retrofit(18097): ---> HTTP GET
D/Retrofit(18097): Cookie:
D/Retrofit(18097): Authorization: Basic Z2M6LW9WZ1lNaG5IYTRyeXo=
D/Retrofit(18097): User-Agent: GigasetElements-Android/2.6.4 (16070507)

Private information leakage:

{"email":[{"channelId":"","friendlyName":"","status":"active","notificationGroups ...{"channelId":"APA91bEdUyabOA3pZdIl1AYIejHA8zn2lbdRfxtcMpQFYxl2KJN_MG3mZ4iI56XCOhVP2Xn52sSfc4DuQ8Z3w2Aiy1jZMTS-tOb9bQu2IIuG9jYbMNoZL8w27EAKy-RXfMZMOVelMXi","friendlyName":"Google Nexus 5 - 6.0.0 - API 23 -1080x1920","status":"active","notificationGroups".["call_logs","homecoming","intrusion","system_health"]}

Webcam stream URL leakage, logcat output:

Local- FetchedURL:

On older Android devices (version < 4.2) each application could access the log output via other application. A malicious application can dump and steal the critical information from the Gigaset elements app. In newer Android versions this is not possible anymore, except on a rooted device or using a root
exploit. Still, if an attacker has physical access to the device (evil maid attack) he can make a dump of the log and steal the credentials or other logcat information. The leaked Webcam stream can be accessed without any further authentication. In our test environment, we were able to watch the camera’s web stream for an unlimited period of time by just knowing the URL from the leaked log data.


Users should disable the USB debugging feature on their devices and use a secure lock screen to prevent evil maid attacks. They should avoid side loading (app installation form external sources) to prevent the installation of malicious applications that can potentially access the log information on older Android

Suggested Mitigation

Remove logcat output from code in the release version. Configure proguard rules and gradle:

buildTypes {
  release {
        minifyEnabled true
       proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), ''

#keep error log
-assumenosideeffects class android.util.Log {
     public static boolean isLoggable(java.lang.String, int);
     public static int v(...);
     public static int i(...);
     public static int w(...);
     public static int d(...);
     public static int e(...);


  • 2016-07-27 Vulnerability Discovered
  • 2016-08-15 Vulnerability Reported
  • 2016-09-14 Vulnerability Fixed