We recently told you about the XFINITY Mobile app for Android. An app that lets you do a whole bunch of stuff, but most people are likely interested in its DVR control and its (lackluster) video streaming capabilities.

The app lets you talk to your configured DVRs, check voicemail and email, and even has some address book functionality. To do this the app has to know your XFINITY username and password. Unfortunately, the app stores your credentials in your Android’s system log.

Additionally, the YOURUSERNAME@comcast.net and YOURPASSWORD fields appear on a line that starts with “D/HTTPManager“, implying this may be sent in clear-text via HTTP, which would make your login available to anyone with a packet sniffer between you and Comcast/XFINITY’s servers. It’s unknown whether or not this is the case. Whether or not it is being sent across the web doesn’t change the fact that the logs are accessible to anyone with physical access to your device, and may be included in data that can be send in a forceclose report.

The Android Market states that an update is coming soon, but doesn’t indicate that this security issue is known or has been addressed in the upcoming release of the app. We hope that this security hole is patched up sooner than later!

Source: XDA-Developers