Closed xiaoyue10131748 closed 5 months ago
Thank you @xiaoyue10131748 for your report and suggestions, we will review and come back to you.
Hi kahest, thanks for your quick response. Here is the [removed] with the case study.
Thanks @xiaoyue10131748 - please note that I removed the link to the document as it may contain information that could be sensitive, and we have all the information we need here.
Routing to @getsentry/team-mobile for triage. ⏲️
Regarding deviceID
installationId
: This is randomly generated during the installation of the app and used if the developers using the SDK do not send a user ID themselves. The deviceID
installationId
does not contain any information about the device or the user.
Edited for correction. For details about deviceID
see below.
Hi Kahest, thanks for your clarification. However, we observed app developers set "Device ID
" as IDFV
(returned by system API identifierForVendor
) and sent it to Sentry. Both our research and paper [1] believe that the IDFV is more convoluted and essentially consider a privacy-sensitive ID since it enables cross-app user tracking: based
on Apple, “it is useful for analytics across apps from the same content provider and may not be combined with other data to track a user across apps and websites owned by other companies unless the app has been granted
permission to track by the user”
[1] Koch, Simon, et al. "Keeping privacy labels honest." Proceedings on Privacy Enhancing Technologies 4 (2022): 486-506.
@xiaoyue10131748 to clarify, the Sentry Cocoa SDK does not send identifierForVendor
to sentry.io by itself.
An app developer could decide to explicitely read identifierForVendor
from the API you mentioned, and configure Sentry to send it as part of the payload. This can be done e.g. by setting Tags, which seems to have been the case for the sample you provided. These tags (among other SDK features) can be used to send arbitrary data, just like any other HTTP request outside of using Sentry can. This is out of Sentry's control and always a conscious decision made by the app developer.
Yes. We totally agree that it's the app developer's misconfiguration that caused the data exfiltration. The app developer could probably misunderstand the "key" set by configurable Tags (e.g., "deviceID" is actually "installationId" which is not linked to users). It is better if Sentry SDK can update privacy label guidance[1] to clearly notify the app developers which data is configurable by which setting tags and whether enabling those configurations need appropriate disclosure in their apps' privacy labels.
related to https://github.com/getsentry/rfcs/pull/70
Core or SDK?
Platform/SDK
Which part? Which one?
Mobile SDK Documentation (https://docs.sentry.io/product/security/mobile-privacy/)
Description
Summary
Dear Security & Privacy Teams of Sentry,
We found your Privacy label guidance [1] inaccurately and incomprehensibly disclose data collection practices, which probably induces that many apps integrated with Sentry SDK are non-compliant with Apple’s privacy label requirements. As required by Apple, Apps that fail to disclose privacy information accurately may have future app updates rejected, or in some cases, be removed from the App Store entirely if they don’t come into compliance [2], which in turn will impact your SDK integration rate and reputation of being Privacy-Conscious vendor.
We observed that Sentry SDK allows app developers to pass the user’s Precise Location, Device ID, and Performance Data to the Sentry backend. However, those apps integrated Sentry SDK didn’t disclose this data collection in their privacy labels. Furthermore, we found that Sentry's privacy label guideline [1] inaccurately described that device ID (IDFA) is not collected and also didn’t mention precise location, and performance data can be collected based on the developer’s configuration.
Case study
Precise Location, Device ID, and Performance Data are transmitted to Sentry endpoint in an app without disclosure in privacy label.
[NOTE: screenshot removed]
Reference
[1] https://docs.sentry.io/product/security/mobile-privacy/ [2] https://9to5mac.com/2021/01/29/app-store-privacy-labels/
Suggested Solution
Recommendation for improvement:
Although app developers are responsible for all code included in their apps, they may not be able to know the data collection and tracking practices of code used in your SDK. To help the app developer correctly specify the app’s privacy label, we suggest Sentry’s privacy team update your privacy label guidance [1] to clearly describe that “Precise Location, Device ID, and Performance Data” are collected optionally based on the developer’s configuration, instead of miss declaring it or directly declaring it as not collected.