Security issue: password and private key exposed to logs on android

[ichuan]

Hi, just trying out edge.app for the first time, not sure if this is a security concern or not.

Steps to reproduce:

1. Download and install edge.app on an android phone, which enabled USB debug mode.
2. Register using a name and password, close app, and login again
3. Connect the phone to an computer, by running adb logcat | grep crypto_bridge, the following logs appear:

04-17 18:11:45.494 22179 22301 D crypto_bridge-JNI: passwd=dHJ5ZWRnZWFwcDBZQ0ZtWEFET2w=, salt=iwYBA4hEeugzUoCsM2AxvrOQrgcEsu3Rrru+uSX3fQQ=, n=132082, r=8, p=1, size=32
04-17 18:11:45.495 22179 22301 D crypto_bridge-JNI: passwordBuf len=16 :121 97 110 99 53 51
04-17 18:11:45.495 22179 22301 D crypto_bridge-JNI: saltBuf len=32 :124 135 11 154 46 134
04-17 18:11:48.861 22179 22301 D crypto_bridge-JNI: buffer:188 88 158 138 22 103
04-17 18:11:48.862 22179 22301 D crypto_bridge-JNI: result szB64Encoded:hN02hRxce4zla7xYhuMSgt2ni6hcg41ubmBYhCbMG0c= len:45

The italic texts are base64 encoded username, password, and private key.

[abonander]

This is mainly only an issue on rooted phones and phones where the READ_LOGS permission was manually granted to an app through ADB.

However, that's assuming there isn't a bug in the OS that leaks logs, or that there aren't poorly sandboxed system or bloatware apps that are granted this permission by default.

Finally, it is a huge code smell. The entire codebase should be audited for any other possible locations where secrets might be getting leaked.