Skip to content

Privacy: developer.log() leaks user transcripts to system log #3

Open
Open
Privacy: developer.log() leaks user transcripts to system log#3
@0xharkirat

Description

@0xharkirat
0xharkirat
opened on Apr 6, 2026

Priority: High

Every user voice command, resolved action, and extracted parameters are logged via developer.log() which writes to Android system logs visible via adb logcat. While debugPrint() is a no-op in release builds, developer.log() is not.

Impact

  • User voice transcripts visible in system logs
  • Resolved action parameters (which may contain personal data) are logged
  • Any app with log-read permission or USB debugging can see these

Recommended fix

Gate all developer.log calls behind kDebugMode:

if (kDebugMode) {
  developer.log(encoded, name: 'HarkDebugNlu');
}

Files

  • lib/screens/assistant_screen.dart (lines 216, 278-283, 463-479)
  • lib/services/nlu_command_resolver.dart (lines 39-49, 143-150, 236-239)
  • lib/services/slot_filling_service.dart (lines 75-78, 93-95, 99-103)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions