[chrismoos]

I've reverse engineered plenty of Android apps before and yeah, unpacking it and seeing .class files is pretty straightforward. More sophisticated than modifying a text file, but still pretty easy.

Extracting the private key though is not that easy if it is obfuscated well. The key isn't just stored as a static variable and used as-is. I think the overall thing I'm trying to explain is:

* There are different classes of attackers * Everything can be broken, but we want to stop as much people as we can * Layering security is a good thing * Is it really necessary to have the library log the information, as opposed to letting applications decide?

[Someone1234]

Fair enough. Did you see my point about just hashing log4j.properties's contents? Since I assume you won't be modifying it after you publish as you don't want debugging. As long as you check the hash before you decrypt any XML this should solve your concerns.

In order for someone to then abuse the debugging functionality on Santuario they would need to modify your APK which is frankly just as big of a barrier as finding and pulling the private key(s).

[chrismoos]

It would be possible but not that straightforward, you can change how log4j loads/finds properties file, for example, so it would be hard to enforce that.

Its pretty easy to unpack an APK, change log4j stuff to DEBUG, repack, and run vs. unpacking APK, disassemble class files, go through files, find how key is stored, routine for deobfuscation, etc,.