Skip to content

fix(trezor): redact secrets in log_debug transport output #125

Description

@piotr-iohk

Problem

TransportCallback::log_debug forwards Rust transport diagnostics to native apps via src/modules/trezor/implementation.rs. The stream content is owned by trezor-connect-rs and changes with dependency updates.

Native apps previously attempted consumer-side regex redaction before persisting logs. Review on synonymdev/bitkit-android#1067 showed this is not a security boundary:

  • Labeled secrets with unexpected key names leak (thp_credential, master_key, …).
  • Bare values without keys leak (xpub6…, raw frame hex).
  • JSON array values are not covered.
  • Per-chunk BLE logging floods output.

Android now mitigates by not forwarding TrezorDebugLog to the user-exportable app log. Diagnostics stay in a 300-line in-memory dev buffer only. That is the correct app-side fix, but core should not emit sensitive material into log_debug in the first place.

Anyone enabling transport debug logging in dev builds — or a future app that forwards the callback to disk — would still be at risk.

Proposed change

Redact or suppress sensitive content at the source in bitkit-core before invoking the log_debug callback.

Preferred approach

Add a small sanitizer in the trezor module used by log_debug:

  1. Never forward raw credentials, mnemonics, passphrases, PINs, PSBTs, serialized transactions, extended keys, or full encrypted frame payloads.
  2. Replace values with stable placeholders (<redacted>) while keeping subsystem tags and non-sensitive metadata (lengths, state names, error codes).
  3. Optionally truncate very long hex blobs even when unlabeled.

Alternative (also acceptable)

Gate verbose transport log_debug behind an explicit dev-only flag in core, default off. Native apps opt in only for local debugging. Production/mainnet builds never receive the raw stream.

Do not rely on native regex scrubbing as the primary control.

Tests

  • Representative trezor-connect-rs log lines with credential=, psbt=, bare xpubs, and frame hex are sanitized before callback invocation.
  • Non-sensitive lines (connection state, error codes, byte lengths) pass through.
  • Regression: no callback output contains known test secrets from fixture strings.

Acceptance criteria

  • log_debug callback never receives unredacted secrets for the fixture set used in tests.
  • No FFI API shape change required (same log_debug(tag, message) signature).
  • Rust tests, Clippy, and formatting pass.

Consumer follow-up

After release:

  • Native apps can keep TrezorDebugLog in-memory only (current Android behavior).
  • Remove any remaining app-side redaction regex if core guarantees safe output.
  • Optional: re-enable selective forward to persistent logs in dev builds only, behind a dev flag.

Related

Priority

Medium — app-side mitigation is in place for Android v1. Still the correct long-term fix for any consumer of log_debug, including iOS and future tooling.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions