kahest
commented
1 year ago Thank you @xiaoyue10131748 for your report and suggestions, we will review and come back to you.
Closed xiaoyue10131748 closed 5 months ago
kahest
commented
1 year ago Thank you @xiaoyue10131748 for your report and suggestions, we will review and come back to you.
xiaoyue10131748
commented
1 year ago Hi kahest, thanks for your quick response. Here is the [removed] with the case study.
kahest
commented
1 year ago Thanks @xiaoyue10131748 - please note that I removed the link to the document as it may contain information that could be sensitive, and we have all the information we need here.
getsentry-release
commented
1 year ago Routing to @getsentry/team-mobile for triage. ⏲️
kahest
commented
1 year ago Regarding deviceIDinstallationId: This is randomly generated during the installation of the app and used if the developers using the SDK do not send a user ID themselves. The deviceIDinstallationId does not contain any information about the device or the user.
Edited for correction. For details about deviceID see below.
xiaoyue10131748
commented
1 year ago Hi Kahest, thanks for your clarification. However, we observed app developers set "Device ID" as IDFV (returned by system API identifierForVendor) and sent it to Sentry. Both our research and paper [1] believe that the IDFV is more convoluted and essentially consider a privacy-sensitive ID since it enables cross-app user tracking: based
on Apple, “it is useful for analytics across apps from the same content provider and may not be combined with other data to track a user across apps and websites owned by other companies unless the app has been granted
permission to track by the user”
[1] Koch, Simon, et al. "Keeping privacy labels honest." Proceedings on Privacy Enhancing Technologies 4 (2022): 486-506.
kahest
commented
1 year ago @xiaoyue10131748 to clarify, the Sentry Cocoa SDK does not send identifierForVendor to sentry.io by itself.
An app developer could decide to explicitely read identifierForVendor from the API you mentioned, and configure Sentry to send it as part of the payload. This can be done e.g. by setting Tags, which seems to have been the case for the sample you provided. These tags (among other SDK features) can be used to send arbitrary data, just like any other HTTP request outside of using Sentry can. This is out of Sentry's control and always a conscious decision made by the app developer.
xiaoyue10131748
commented
1 year ago Yes. We totally agree that it's the app developer's misconfiguration that caused the data exfiltration. The app developer could probably misunderstand the "key" set by configurable Tags (e.g., "deviceID" is actually "installationId" which is not linked to users). It is better if Sentry SDK can update privacy label guidance[1] to clearly notify the app developers which data is configurable by which setting tags and whether enabling those configurations need appropriate disclosure in their apps' privacy labels.
kahest
commented
1 year ago related to https://github.com/getsentry/rfcs/pull/70
Core or SDK?
Platform/SDK
Which part? Which one?
Mobile SDK Documentation (https://docs.sentry.io/product/security/mobile-privacy/)
Description
Summary
Dear Security & Privacy Teams of Sentry,
We found your Privacy label guidance [1] inaccurately and incomprehensibly disclose data collection practices, which probably induces that many apps integrated with Sentry SDK are non-compliant with Apple’s privacy label requirements. As required by Apple, Apps that fail to disclose privacy information accurately may have future app updates rejected, or in some cases, be removed from the App Store entirely if they don’t come into compliance [2], which in turn will impact your SDK integration rate and reputation of being Privacy-Conscious vendor.
We observed that Sentry SDK allows app developers to pass the user’s Precise Location, Device ID, and Performance Data to the Sentry backend. However, those apps integrated Sentry SDK didn’t disclose this data collection in their privacy labels. Furthermore, we found that Sentry's privacy label guideline [1] inaccurately described that device ID (IDFA) is not collected and also didn’t mention precise location, and performance data can be collected based on the developer’s configuration.
Case study
Precise Location, Device ID, and Performance Data are transmitted to Sentry endpoint in an app without disclosure in privacy label.
[NOTE: screenshot removed]
Reference
[1] https://docs.sentry.io/product/security/mobile-privacy/ [2] https://9to5mac.com/2021/01/29/app-store-privacy-labels/
Suggested Solution
Recommendation for improvement:
Although app developers are responsible for all code included in their apps, they may not be able to know the data collection and tracking practices of code used in your SDK. To help the app developer correctly specify the app’s privacy label, we suggest Sentry’s privacy team update your privacy label guidance [1] to clearly describe that “Precise Location, Device ID, and Performance Data” are collected optionally based on the developer’s configuration, instead of miss declaring it or directly declaring it as not collected.