If an app keeps sensitive data such as credit card numbers, passwords etc. in its memory, then its heap dump will contain that information as well. That creates legitimate concerns, especially at big companies: what if sensitive data leaks after we shared a dump with another team to facilitate debugging?
Fortunately, JXRay is already much better than most other tools in this respect. First, as explained in one of our previous posts, it allows you to process a heap dump directly on the production machine that generated it. Thus, the dump file shouldn’t leave the secure environment at all. And second, a JXRay report contains just some object samples – roughly of ten objects for each type. That makes it much harder, if possible at all, to extract any practical amount of sensitive data.
If you want to to be absolutely sure, you can “redact” a JXRay HTML report before sharing it. Just open it in a text editor, search for any sensitive data patterns and remove them.
In the future, we consider adding a new feature, which will make the tool generate two reports if needed: one with object samples, as now, and one with no object samples at all. The latter, while limiting debugging abilities to some extent, should still allow developers to analyze memory leaks and other problems, where it is sufficient to know just the names of classes, number of objects and their relations. Please email us at email@example.com if you want to have this feature.