search

getsentry / sentry-java

A Sentry SDK for Java, Android and other JVM languages.
https://docs.sentry.io/
MIT License
1.12k stars 428 forks source link

Security warning because of insecure HTTP URL in release artifact #3259

Open G00fY2 opened 4 months ago

G00fY2 commented 4 months ago

Integration

sentry-android

Build System

Gradle

AGP Version

8.6

Proguard

Enabled

Version

7.6

Steps to Reproduce

We use AppSweep by Guardsquare for security scans of our Android application. When scanning our minified release APK we see a security warning because of an "insecure HTTP URL" shipped in our code. The reported URL is http://10.0.2.2:8969/stream.

It seems like this was added with the spotlight integration: https://github.com/getsentry/sentry-java/pull/3166

We do not use this feature and would like to prevent shipping this URL to avoid issues with security services like e.g. AppSweep or other external security pentests which we regularly need to pass

Expected Result

Sentry SDK does not add insecure HTTP URLs to production code

Actual Result

Minified Android APK contains http://10.0.2.2:8969/stream

markushi commented 4 months ago

@G00fY2 , thanks for reporting! Yes, this stems from here, although it's worth noting this URL is not being used unless spotlight is explicitly enabled via SentryOptions.

We'll discuss this internally, we could consider moving our SpotlightIntegration into a separate module, allowing you to completely exclude this module from release builds.

stefanosiano commented 4 months ago

hey @G00fY2 Is it possible to ignore this warning? It is not used at runtime by default anyway

G00fY2 commented 4 months ago

@stefanosiano Thanks for answering! Since it is not an build or lint warning, it will only show up in security analysis scans of our app artifacts (like AppSweep). We as developers could ignore it, but it adds noise to the results (currently it is the only non HTTPS url "shipped" in our quite large app project). Also we regularly need to "pass" penetration tests done by external companies (e.g. TÜV) which usually report those issues too. We would like to avoid justifying such findings.

Also on Android we use code shrinking based on R8. Ideally unreachable/unused code should be removable by the shrinker.

adinauer commented 4 months ago

Could we generate a valid SSL cert for a sentry domain like "spotlight.local.sentry.dev" or similar that points to localhost (and another one for Android pointing to the special adress used for accessing the host PC)?

We could then replace all the http URLs with https ones and get rid of the warning.

Caveat: this wouldn't work offline if the DNS entry hasn't been cached yet.