Displaying Stack Traces in Error Messages
Mobile applications often show errors messages to their users. A variety of error messages are available. Application developers choose an appropriate message for a situation and embed it into the source code. When the error condition occurs, the embedded message is displayed. Some error messages reveal information about application functionality. A person with malicious intent may use this information to harm the system. Let’s have an example of the ‘PrintStackTrace ()’ error message to understand the scenario better.
A mobile application executes the ‘PrintStackTrace ()’ method whenever a particular error condition occurs, and its result is displayed to users. This method lists out the functions that were under execution at the instance the error occurred. This list is called ‘stack trace’. An attacker purposefully enters incorrect inputs to view error messages. He is shown a list of functions as a result of his wrong inputs. The attacker manages to get multiple stack traces this way, and figures out a majority of the app’s functionality, and subsequently its flaws. He exploits the weaknesses and gains unauthorized access to the app.
It is recommended to refrain from using error messages that would reveal application’s internal details. Instead, customized error messages could be used, that would not disclose system-related information.