LuLu contacting Sentry.io

[holow29]

The LuLu app appears to contact Sentry.io quite a bit when it is in-use, I'm assuming for telemetry purposes. Is there any plan to make this behavior opt-out? Additionally, using LuLu itself, I can try to block it from reaching out to Sentry.io with a manual rule, but somehow the requests are still getting out. Is LuLu bypassing itself by not using Network.framework or NSURLSession connections?

Using a local block list (Preferences->Block List) with sentry.io listed also does not seem to have an effect. I'm seeing this with other DNS-based blocking as well such as Office endpoints (self.events.data.microsoft.com, nexusrules.officeapps.live.com). It seems odd because some requests appear to use the types of connections that LuLu can detect - as I am prompted to either allow or block them. However, blocking does not seem to prevent them.

I'll note that blocking the process from making any outgoing connections does work as expected, which is why I assume the issue is with the DNS-based blocking, perhaps given the limitation described in the documentation and above. I guess the question becomes - why do they show up at any point (giving me the option to block/allow and add a rule) if they are not going to abide by it? If they use a different type of unsupported connection, wouldn't they never show up?

MacOS 12.6 LuLu 2.4.2

[PatTheMav]

I got that alert for the first time today as well - I don't mind apps sending telemetry data, if it's opt-in.

It should also be noted that this is a GDPR violation as there is no privacy policy available on objective-see.org or from within the app that discloses the usage of Sentry.io and thus that personally identifiable data is transmitted to services not under control by the same entity (and IP addresses are PII per the ruling of European courts).

While it could be argued that such telemetry is a "legitimate interest" (which is arguable) and does not require explicit consent, even in that case it would require disclosure in a data privacy policy.

[GitHugz]

I 3rd this conclusion. Sentry.io is called every 2 minutes whenever LuLu Application is open (not including when it is on in the background), just when Rules, Mode, Update, Network Monitor, etc is open. As of post date, neither TOS/Privacy Policy states this telemetry function is built in. This calls into question the integrity of the rest of the code.

[objective-see]

Sentry.io is the open-source error reporting system used by LuLu to report crashes.

From Sentry.io

Sentry's SDKs report an error automatically whenever a thrown error or exception goes uncaught in your application, causing the application to crash. The SDK automatically hooks into all signal and exception handlers ... The SDK builds a crash report that persists to disk and tries to send the report right after the crash. Since the environment may be unstable at the crash time, the report is guaranteed to send once the application is started again.

It is compiled into LuLu, and invoked via the following:

        [SentrySDK startWithConfigureOptions:^(SentryOptions *options) {
            options.dsn = SENTRY_DSN;
            options.debug = YES;
        }];

See: https://github.com/objective-see/LuLu/blob/5930191cc2049a6feef531a2c8975c63cd2fb307/LuLu/App/main.m#L35)

1️⃣ Sentry.io is open-source: https://github.com/getsentry/sentry-cocoa

2️⃣ LuLu only uses Sentry for crash reporting, not for any telemetry data

3️⃣ According to Sentry, any crash reports are compliant w/ privacy policies including GDPR See Sentry's documentation on this "GDPR, Sentry, and You" for details on this.

4️⃣ As a limitation of Apple's Network Extension Framework (which LuLu) leverages to filter network traffic, URLs (e.g. "sentry.io") are not always reported to LuLu - rather just the (resolved) IP. Hence the (Apple) framework might never pass the URL to LuLu, hence it won't be blocked. (Some are, hence the block list feature is still useful, but works better for IP addresses).

5️⃣ I will update LuLu's page to include the fact that it uses sentry.io for error reporting. Note other Objective-See tools use Sentry as well, and this has been documented (e.g. see KnockKnock):

I should also add a privacy policy to the site. I figured since all the tools are open-source that would suffice ;) (Also no telemetry or user data is ever collected ....just crash reporting).

6️⃣ Good suggestion, re: the opt-out of error reporting ...maybe would be worth adding a preference to LuLu for this.

7️⃣ I will look into why Sentry.io is being contacted so often! This is strange as unless they changed their SDK/framework, is only supposed to happen on a crash report. (And again, this is the only information that LuLu is interested in):

[GitHugz]

I appreciate the swift reply.

Edit: The Issue included in the second portion for reference has closed.

[PatTheMav]

Alas per GDPR there is no difference between being closed source, open source, distributing software or offering plumbing services:

• As soon as any data you gather (electronically or manually) is transmit to parties that aren't you (either personally or your corporate entity) it needs to be explicitly mentioned in a privacy policy
• In general you should always have a privacy policy, at the very least for the website itself, even if it just states that you don't gather any data
• E.g. if you keep log files, you need to state the retention period and which data is stored in them, as well as the reason why you think you are allowed to gather/store them (you could argue you have a legitimate interest in protecting your site against attacks)
• Per GDPR if there is no immediate need for data transmission or gathering, you need to ask for informed consent (i.e. you need to explain in the consent form why you need that data and what you use it for). European courts have been very strict in what they accept as "legitimate" - IANAL but if Sentry.io is not necessary for LuLu to function you probably cannot claim legitimate interest.

By that token one could argue that usage of Sentry not only requires its listing in the privacy policy, but also explicit consent by users from the EEA, possibly also from citizens of California.

On top of all that I think Sentry.io cannot be GDPR compliant as it relies on Privacy Shield (which has been struck down by European courts and is void) and as long as it's a US-based company even storing data on EU servers is akin to transmitting data to the US.

Transmission to the US is permissible under standard contractual clauses, but requires an Data Protection Impact Assessment (DPIA) that outlines how data of European customers is protected from access by US authorities under FISA court orders.

---

I know this is annoying and complex but I had to go through this process in multiple companies for different products and services, and the regulation is strict and has been interpreted even stricter by courts.

[LiamKearn]

Seconding for opting out here.

I understand the want for crash reporting but I suspect most people that use LuLu will willingly open up an issue on GH.

[PatTheMav]

Seconding for opting out here.

I understand the want for crash reporting but I suspect most people that use LuLu will willingly open up an issue on GH.

Per GDPR it has to be opt-in and if you don't answer it needs to be treated as a "no" (which is why many companies resort to dark UI patterns).

I don't assume any sinister motivations behind either Sentry.io or its usage, but the regulation is what it is.. 🤷🏻‍♂️

[LiamKearn]

Seconding for opting out here. I understand the want for crash reporting but I suspect most people that use LuLu will willingly open up an issue on GH.

Per GDPR it has to be opt-in and if you don't answer it needs to be treated as a "no" (which is why many companies resort to dark UI patterns).

I don't assume any sinister motivations behind either Sentry.io or its usage, but the regulation is what it is.. 🤷🏻‍♂️

Sure I'm happy either way.

My data doesn't fall under the GDPR and nor does the objective-see non-profit (ref). GDPR is awesome for everyone it protects but I'm sure you'll agree it's a bit of a pain for developers sometimes 😅

[PatTheMav]

Contrary to (apparently) popular belief, every entity processing data of European citizens falls under GDPR. This includes corporations, non-profits, or private individuals in every country.

The whole point of the GDPR is to protect data belonging to EU citizens and residents. The law, therefore, applies to organizations that handle such data whether they are EU-based organizations or not, known as “extra-territorial effect.”

https://gdpr.eu/companies-outside-of-europe/

In the case of Sentry.io, specifically this applies:

If your organization uses web tools that allow you to track cookies or the IP addresses of people who visit your website from EU countries, then you fall under the scope of the GDPR. Practically speaking, it’s unclear how strictly this provision will be interpreted or how brazenly it will be enforced. Suppose you run a golf course in Manitoba focused exclusively on your local area, but sometimes people in France stumble across your site. Would you find yourself in the crosshairs of European regulators? It’s not likely. But technically you could be held accountable for tracking these data.

[LiamKearn]

I didn't know that, In practice would anything happen? nope.

Sounds like Sentry passes liability with what their customers collect somehow, their wording in that exert is very specific.

What sort of standard would it set if a non-profit, non-European, open source software project that protects your data was slapped with whatever repercussions a GDPR violation entails. Yes there are articles saying the the GDPR will effect your US non-profit. Will there ever be any action in something this giving? again nope.

Who are you suing? The person who committed the Sentry SDK into the project. Or the person who triggered the CI pipeline and built the artifact that was distributed, the application signer or whoever has liability for LuLu as a non-profit (If that's even a concept in a US based non-profit)? I'm sure someone could care to find answers to all of those but it would be stupid.

It's entirely dependant on politics it's not something that is even remotely to yield an actual action in this case.

It's just a big list of acktually to me. Call that naive if you want.

To be clear I'm absolutely not against being compliant, I just don't care what call the developers decide to make. If they want to keep using sentry I'm all for it.

[objective-see]

Working on implementing a preference to turn off error reporting 😇

[DaveLak]

Working on implementing a preference to turn off error reporting 😇

It looks like this was completed in 7d8bf183396d01df669f2f37b5eac1f86047dbdf and shipped in https://github.com/objective-see/LuLu/releases/tag/v2.5.0.

@objective-see, this issue can probably be closed, correct?

[etherx-dev]

Thought i was over reacting when noticing this, but seriously this just messed up beyond words.

https://try.sentry-demo.com/organizations/poetic-redbird/replays/

Whatever the motive of Owner is, they should have an easy option to remove these tracking functions even in xcode builds we are stuck with the binaries and other tracking backdoors.

I wonder what kind of data the devs get, has anyone tried replacing the sentry id

[objective-see]

Aloha,

Please note that LuLu only uses the basic crash reporting features of Sentry.io. Such crash reports do not contain personally identifiable information, but simply the technical information, such as stack back traces and loaded libraries, that lead up to a/the crash.

Please learn more about this here (and see that other privacy focused applications like Firefox use Sentry) https://github.com/mozilla-mobile/firefox-ios/wiki/Crash-Reporting-with-Sentry

You can turn off crash reporting via a LuLu's settings - which disables it fully, as you can see in the following code: https://github.com/objective-see/LuLu/blob/acba28bb3e14c1e1ee97a7031cadfabbd3490452/LuLu/Extension/main.m#L49

Regarding "Session Replay" this is not a feature that LuLu uses, nor could it, even it wanted to.

If you read the "Session Replay" documentation, it states that, "Session Replay supports all browser-based JavaScript applications" LuLu is not a JS based app, so "Session Replay" is not even relevant to it.

If you want a build of LuLu w/ out Sentry easy enough - it's open-source! Just remove the dependency on Sentry framework, remove the @import Sentry; and of course the call to kick of the crash reporting ([SentrySDK ...]).

[etherx-dev]

Aloha,

Please note that LuLu only uses the basic crash reporting features of Sentry.io. Such crash reports do not contain personally identifiable information, but simply the technical information, such as stack back traces and loaded libraries, that lead up to a/the crash.

Please learn more about this here (and see that other privacy focused applications like Firefox use Sentry) https://github.com/mozilla-mobile/firefox-ios/wiki/Crash-Reporting-with-Sentry

You can turn off crash reporting via a LuLu's settings - which disables it fully, as you can see in the following code:

https://github.com/objective-see/LuLu/blob/acba28bb3e14c1e1ee97a7031cadfabbd3490452/LuLu/Extension/main.m#L49

Regarding "Session Replay" this is not a feature that LuLu uses, nor could it, even it wanted to.

If you read the "Session Replay" documentation, it states that, "Session Replay supports all browser-based JavaScript applications" LuLu is not a JS based app, so "Session Replay" is not even relevant to it.

If you want a build of LuLu w/ out Sentry easy enough - it's open-source! Just remove the dependency on Sentry framework, remove the @import Sentry; and of course the call to kick of the crash reporting ([SentrySDK ...]).

matter your ignoring the point that I was making while picking parts of my examples to reason your ethics. this is spying and basically the only form of spying that your software doesn't alert users of.

[LiamKearn]

Aloha, Please note that LuLu only uses the basic crash reporting features of Sentry.io. Such crash reports do not contain personally identifiable information, but simply the technical information, such as stack back traces and loaded libraries, that lead up to a/the crash. Please learn more about this here (and see that other privacy focused applications like Firefox use Sentry) https://github.com/mozilla-mobile/firefox-ios/wiki/Crash-Reporting-with-Sentry You can turn off crash reporting via a LuLu's settings - which disables it fully, as you can see in the following code: https://github.com/objective-see/LuLu/blob/acba28bb3e14c1e1ee97a7031cadfabbd3490452/LuLu/Extension/main.m#L49

Regarding "Session Replay" this is not a feature that LuLu uses, nor could it, even it wanted to. If you read the "Session Replay" documentation, it states that, "Session Replay supports all browser-based JavaScript applications" LuLu is not a JS based app, so "Session Replay" is not even relevant to it. If you want a build of LuLu w/ out Sentry easy enough - it's open-source! Just remove the dependency on Sentry framework, remove the @import Sentry; and of course the call to kick of the crash reporting ([SentrySDK ...]).

matter your ignoring the point that I was making while picking parts of my examples to reason your ethics. this is spying and basically the only form of spying that your software doesn't alert users of.

It's hardly spying if the source code is deobfuscated on GH or sentry strings are included in a easy check over of the stripped binary and you chose to compile/run it yourself...

It's great that objective-see has made this easy to opt out of, I'd personally still like to see it opt-in but clearly nothing productive will come of arguing over it beyond a polite and rational message of support.

Good security originates from good supply chain and continues with good maintenance. LuLu provides excellent maintenance in (disallow and prompt by default mode) and your responsibility is to vet it (binary and the initial allow lists) when you download it.

[PatTheMav]

As I stated above, I don't mind the use of Sentry and personally I'd probably opt-in, but this is not about what any individual is comfortable with but rather what GDPR states as law applying to all citizens within the EEA (European Economic Area):

• If I use LuLu and it sends a crash report from my computer to Sentry.io, it effectively "leaks" my IP address to a third party.
• IP addresses are considered personally-identifiable data by the European Court of Human Rights
• As such LuLu does transmit personally-identifiable data to Sentry.io without a user's consent, which is not permitted under GDPR
• Sentry.io is not a European service, so personally-identifiable information is transmitted from the EEC to a third country
• If such country does not have a privacy protection level similar to the EEC, such a transfer is also not permitted under GDPR without user consent
• Even with user consent, a "Transfer Impact Assessment" (TIA) needs to be filled out to declare the measures taken by the implementer (in this case LuLu) to minimise the GDPR-related impact (e.g. by anonymising all data).
• (On a side note, the EU and the US have agreed on a new framework for legal transfer of data of EEC customers to the US, but I give that one about 6 months before NOYB will have it struck down in court.. again).

In the case of Sentry.io this could be fixed by having a proxy server in the EEC which forwards all Sentry-related data, thus obfuscating any individual IP address:

• The data is anonymous and not personally-identifiable anyway
• The only data point that was (the IP address) is removed by the proxy
• If the proxy keeps no log data and is run by a hosting provider from the EEC in a data centre in the EEC, then all privacy protections by the EEC applied

At least that's my understanding of the regulation after having gone through several compliance processes. Whether the developers of LuLu feel like they want or need to comply with this is up to them. 🤷🏻‍♂️

[DaBigBlob]

@objective-see i kinda guessed you dont actively work on Netiquette so please take a look at: https://github.com/objective-see/Netiquette/issues/12 and https://github.com/objective-see/Netiquette/issues/15

with the sheer depth of assess objective-see software requires, they shouldn't be making ANY outbound requests. including updates or crash reports.

i have immense respect for the work you do but this is an outstanding security concern that hacks away at your reputation.

the request: please remove ALL outbound requests from all objective-see software that requires deep access on the user's system.

[objective-see]

Thank you for your feedback and patience.

All error reporting has been removed from LuLu (https://github.com/objective-see/LuLu/releases/tag/v2.6.0) and Netiquette (https://github.com/objective-see/Netiquette/releases/tag/v2.2.0).

Favor: As there now is no way to see if/when these tools crash, please manually submit any crashes you encounter, so they can be fixed for everybody 🙏🏽