Problem
TransportCallback::log_debug forwards Rust transport diagnostics to native apps via src/modules/trezor/implementation.rs. The stream content is owned by trezor-connect-rs and changes with dependency updates.
Native apps previously attempted consumer-side regex redaction before persisting logs. Review on synonymdev/bitkit-android#1067 showed this is not a security boundary:
- Labeled secrets with unexpected key names leak (
thp_credential, master_key, …).
- Bare values without keys leak (
xpub6…, raw frame hex).
- JSON array values are not covered.
- Per-chunk BLE logging floods output.
Android now mitigates by not forwarding TrezorDebugLog to the user-exportable app log. Diagnostics stay in a 300-line in-memory dev buffer only. That is the correct app-side fix, but core should not emit sensitive material into log_debug in the first place.
Anyone enabling transport debug logging in dev builds — or a future app that forwards the callback to disk — would still be at risk.
Proposed change
Redact or suppress sensitive content at the source in bitkit-core before invoking the log_debug callback.
Preferred approach
Add a small sanitizer in the trezor module used by log_debug:
- Never forward raw credentials, mnemonics, passphrases, PINs, PSBTs, serialized transactions, extended keys, or full encrypted frame payloads.
- Replace values with stable placeholders (
<redacted>) while keeping subsystem tags and non-sensitive metadata (lengths, state names, error codes).
- Optionally truncate very long hex blobs even when unlabeled.
Alternative (also acceptable)
Gate verbose transport log_debug behind an explicit dev-only flag in core, default off. Native apps opt in only for local debugging. Production/mainnet builds never receive the raw stream.
Do not rely on native regex scrubbing as the primary control.
Tests
- Representative trezor-connect-rs log lines with
credential=, psbt=, bare xpubs, and frame hex are sanitized before callback invocation.
- Non-sensitive lines (connection state, error codes, byte lengths) pass through.
- Regression: no callback output contains known test secrets from fixture strings.
Acceptance criteria
log_debug callback never receives unredacted secrets for the fixture set used in tests.
- No FFI API shape change required (same
log_debug(tag, message) signature).
- Rust tests, Clippy, and formatting pass.
Consumer follow-up
After release:
- Native apps can keep
TrezorDebugLog in-memory only (current Android behavior).
- Remove any remaining app-side redaction regex if core guarantees safe output.
- Optional: re-enable selective forward to persistent logs in dev builds only, behind a dev flag.
Related
Priority
Medium — app-side mitigation is in place for Android v1. Still the correct long-term fix for any consumer of log_debug, including iOS and future tooling.
Problem
TransportCallback::log_debugforwards Rust transport diagnostics to native apps viasrc/modules/trezor/implementation.rs. The stream content is owned by trezor-connect-rs and changes with dependency updates.Native apps previously attempted consumer-side regex redaction before persisting logs. Review on synonymdev/bitkit-android#1067 showed this is not a security boundary:
thp_credential,master_key, …).xpub6…, raw frame hex).Android now mitigates by not forwarding
TrezorDebugLogto the user-exportable app log. Diagnostics stay in a 300-line in-memory dev buffer only. That is the correct app-side fix, but core should not emit sensitive material intolog_debugin the first place.Anyone enabling transport debug logging in dev builds — or a future app that forwards the callback to disk — would still be at risk.
Proposed change
Redact or suppress sensitive content at the source in bitkit-core before invoking the
log_debugcallback.Preferred approach
Add a small sanitizer in the trezor module used by
log_debug:<redacted>) while keeping subsystem tags and non-sensitive metadata (lengths, state names, error codes).Alternative (also acceptable)
Gate verbose transport
log_debugbehind an explicit dev-only flag in core, default off. Native apps opt in only for local debugging. Production/mainnet builds never receive the raw stream.Do not rely on native regex scrubbing as the primary control.
Tests
credential=,psbt=, bare xpubs, and frame hex are sanitized before callback invocation.Acceptance criteria
log_debugcallback never receives unredacted secrets for the fixture set used in tests.log_debug(tag, message)signature).Consumer follow-up
After release:
TrezorDebugLogin-memory only (current Android behavior).Related
2ab41b00)src/modules/trezor/callbacks.rs—log_debugtraitsrc/modules/trezor/implementation.rs— callback forward sitePriority
Medium — app-side mitigation is in place for Android v1. Still the correct long-term fix for any consumer of
log_debug, including iOS and future tooling.