objective-see / LuLu

LuLu is the free macOS firewall
GNU General Public License v3.0
9.95k stars 464 forks source link

LuLu contacting Sentry.io #488

Closed holow29 closed 9 months ago

holow29 commented 2 years ago

The LuLu app appears to contact Sentry.io quite a bit when it is in-use, I'm assuming for telemetry purposes. Is there any plan to make this behavior opt-out? Additionally, using LuLu itself, I can try to block it from reaching out to Sentry.io with a manual rule, but somehow the requests are still getting out. Is LuLu bypassing itself by not using Network.framework or NSURLSession connections?

Using a local block list (Preferences->Block List) with sentry.io listed also does not seem to have an effect. I'm seeing this with other DNS-based blocking as well such as Office endpoints (self.events.data.microsoft.com, nexusrules.officeapps.live.com). It seems odd because some requests appear to use the types of connections that LuLu can detect - as I am prompted to either allow or block them. However, blocking does not seem to prevent them.

I'll note that blocking the process from making any outgoing connections does work as expected, which is why I assume the issue is with the DNS-based blocking, perhaps given the limitation described in the documentation and above. I guess the question becomes - why do they show up at any point (giving me the option to block/allow and add a rule) if they are not going to abide by it? If they use a different type of unsupported connection, wouldn't they never show up?

MacOS 12.6 LuLu 2.4.2

PatTheMav commented 2 years ago

I got that alert for the first time today as well - I don't mind apps sending telemetry data, if it's opt-in.

It should also be noted that this is a GDPR violation as there is no privacy policy available on objective-see.org or from within the app that discloses the usage of Sentry.io and thus that personally identifiable data is transmitted to services not under control by the same entity (and IP addresses are PII per the ruling of European courts).

While it could be argued that such telemetry is a "legitimate interest" (which is arguable) and does not require explicit consent, even in that case it would require disclosure in a data privacy policy.

GitHugz commented 2 years ago

I 3rd this conclusion. Sentry.io is called every 2 minutes whenever LuLu Application is open (not including when it is on in the background), just when Rules, Mode, Update, Network Monitor, etc is open. As of post date, neither TOS/Privacy Policy states this telemetry function is built in. This calls into question the integrity of the rest of the code.

objective-see commented 2 years ago

Sentry.io is the open-source error reporting system used by LuLu to report crashes.

From Sentry.io

Sentry's SDKs report an error automatically whenever a thrown error or exception goes uncaught in your application, causing the application to crash. The SDK automatically hooks into all signal and exception handlers ... The SDK builds a crash report that persists to disk and tries to send the report right after the crash. Since the environment may be unstable at the crash time, the report is guaranteed to send once the application is started again.

It is compiled into LuLu, and invoked via the following:

        [SentrySDK startWithConfigureOptions:^(SentryOptions *options) {
            options.dsn = SENTRY_DSN;
            options.debug = YES;
        }];

See: https://github.com/objective-see/LuLu/blob/5930191cc2049a6feef531a2c8975c63cd2fb307/LuLu/App/main.m#L35)

1️⃣ Sentry.io is open-source: https://github.com/getsentry/sentry-cocoa

2️⃣ LuLu only uses Sentry for crash reporting, not for any telemetry data

3️⃣ According to Sentry, any crash reports are compliant w/ privacy policies including GDPR See Sentry's documentation on this "GDPR, Sentry, and You" for details on this.

4️⃣ As a limitation of Apple's Network Extension Framework (which LuLu) leverages to filter network traffic, URLs (e.g. "sentry.io") are not always reported to LuLu - rather just the (resolved) IP. Hence the (Apple) framework might never pass the URL to LuLu, hence it won't be blocked. (Some are, hence the block list feature is still useful, but works better for IP addresses).

5️⃣ I will update LuLu's page to include the fact that it uses sentry.io for error reporting. Note other Objective-See tools use Sentry as well, and this has been documented (e.g. see KnockKnock):

image

I should also add a privacy policy to the site. I figured since all the tools are open-source that would suffice ;) (Also no telemetry or user data is ever collected ....just crash reporting).

6️⃣ Good suggestion, re: the opt-out of error reporting ...maybe would be worth adding a preference to LuLu for this.

7️⃣ I will look into why Sentry.io is being contacted so often! This is strange as unless they changed their SDK/framework, is only supposed to happen on a crash report. (And again, this is the only information that LuLu is interested in):

image
GitHugz commented 2 years ago

I appreciate the swift reply.

Edit: The Issue included in the second portion for reference has closed.

PatTheMav commented 2 years ago

Alas per GDPR there is no difference between being closed source, open source, distributing software or offering plumbing services:

By that token one could argue that usage of Sentry not only requires its listing in the privacy policy, but also explicit consent by users from the EEA, possibly also from citizens of California.

On top of all that I think Sentry.io cannot be GDPR compliant as it relies on Privacy Shield (which has been struck down by European courts and is void) and as long as it's a US-based company even storing data on EU servers is akin to transmitting data to the US.

Transmission to the US is permissible under standard contractual clauses, but requires an Data Protection Impact Assessment (DPIA) that outlines how data of European customers is protected from access by US authorities under FISA court orders.


I know this is annoying and complex but I had to go through this process in multiple companies for different products and services, and the regulation is strict and has been interpreted even stricter by courts.

LiamKearn commented 2 years ago

Seconding for opting out here.

I understand the want for crash reporting but I suspect most people that use LuLu will willingly open up an issue on GH.

PatTheMav commented 2 years ago

Seconding for opting out here.

I understand the want for crash reporting but I suspect most people that use LuLu will willingly open up an issue on GH.

Per GDPR it has to be opt-in and if you don't answer it needs to be treated as a "no" (which is why many companies resort to dark UI patterns).

I don't assume any sinister motivations behind either Sentry.io or its usage, but the regulation is what it is.. 🤷🏻‍♂️

LiamKearn commented 2 years ago

Seconding for opting out here. I understand the want for crash reporting but I suspect most people that use LuLu will willingly open up an issue on GH.

Per GDPR it has to be opt-in and if you don't answer it needs to be treated as a "no" (which is why many companies resort to dark UI patterns).

I don't assume any sinister motivations behind either Sentry.io or its usage, but the regulation is what it is.. 🤷🏻‍♂️

Sure I'm happy either way.

My data doesn't fall under the GDPR and nor does the objective-see non-profit (ref). GDPR is awesome for everyone it protects but I'm sure you'll agree it's a bit of a pain for developers sometimes 😅

PatTheMav commented 2 years ago

Contrary to (apparently) popular belief, every entity processing data of European citizens falls under GDPR. This includes corporations, non-profits, or private individuals in every country.

The whole point of the GDPR is to protect data belonging to EU citizens and residents. The law, therefore, applies to organizations that handle such data whether they are EU-based organizations or not, known as “extra-territorial effect.”

https://gdpr.eu/companies-outside-of-europe/

In the case of Sentry.io, specifically this applies:

If your organization uses web tools that allow you to track cookies or the IP addresses of people who visit your website from EU countries, then you fall under the scope of the GDPR. Practically speaking, it’s unclear how strictly this provision will be interpreted or how brazenly it will be enforced. Suppose you run a golf course in Manitoba focused exclusively on your local area, but sometimes people in France stumble across your site. Would you find yourself in the crosshairs of European regulators? It’s not likely. But technically you could be held accountable for tracking these data.

LiamKearn commented 2 years ago

I didn't know that, In practice would anything happen? nope.

Sounds like Sentry passes liability with what their customers collect somehow, their wording in that exert is very specific.

What sort of standard would it set if a non-profit, non-European, open source software project that protects your data was slapped with whatever repercussions a GDPR violation entails. Yes there are articles saying the the GDPR will effect your US non-profit. Will there ever be any action in something this giving? again nope.

Who are you suing? The person who committed the Sentry SDK into the project. Or the person who triggered the CI pipeline and built the artifact that was distributed, the application signer or whoever has liability for LuLu as a non-profit (If that's even a concept in a US based non-profit)? I'm sure someone could care to find answers to all of those but it would be stupid.

It's entirely dependant on politics it's not something that is even remotely to yield an actual action in this case.

It's just a big list of acktually to me. Call that naive if you want.

To be clear I'm absolutely not against being compliant, I just don't care what call the developers decide to make. If they want to keep using sentry I'm all for it.

objective-see commented 1 year ago

Working on implementing a preference to turn off error reporting 😇

Screenshot 2023-04-04 at 19 41 11
DaveLak commented 1 year ago

Working on implementing a preference to turn off error reporting 😇

It looks like this was completed in 7d8bf183396d01df669f2f37b5eac1f86047dbdf and shipped in https://github.com/objective-see/LuLu/releases/tag/v2.5.0.

@objective-see, this issue can probably be closed, correct?

etherx-dev commented 1 year ago

Thought i was over reacting when noticing this, but seriously this just messed up beyond words.

Screenshot 2023-08-21 at 05-15-44 Session Replay - poetic-redbird - Sentry

https://try.sentry-demo.com/organizations/poetic-redbird/replays/

Whatever the motive of Owner is, they should have an easy option to remove these tracking functions even in xcode builds we are stuck with the binaries and other tracking backdoors.

I wonder what kind of data the devs get, has anyone tried replacing the sentry id

objective-see commented 1 year ago

Aloha,

Please note that LuLu only uses the basic crash reporting features of Sentry.io. Such crash reports do not contain personally identifiable information, but simply the technical information, such as stack back traces and loaded libraries, that lead up to a/the crash.

Please learn more about this here (and see that other privacy focused applications like Firefox use Sentry) https://github.com/mozilla-mobile/firefox-ios/wiki/Crash-Reporting-with-Sentry

You can turn off crash reporting via a LuLu's settings - which disables it fully, as you can see in the following code: https://github.com/objective-see/LuLu/blob/acba28bb3e14c1e1ee97a7031cadfabbd3490452/LuLu/Extension/main.m#L49

Regarding "Session Replay" this is not a feature that LuLu uses, nor could it, even it wanted to.

If you read the "Session Replay" documentation, it states that, "Session Replay supports all browser-based JavaScript applications" LuLu is not a JS based app, so "Session Replay" is not even relevant to it.

If you want a build of LuLu w/ out Sentry easy enough - it's open-source! Just remove the dependency on Sentry framework, remove the @import Sentry; and of course the call to kick of the crash reporting ([SentrySDK ...]).

etherx-dev commented 1 year ago

Aloha,

Please note that LuLu only uses the basic crash reporting features of Sentry.io. Such crash reports do not contain personally identifiable information, but simply the technical information, such as stack back traces and loaded libraries, that lead up to a/the crash.

Please learn more about this here (and see that other privacy focused applications like Firefox use Sentry) https://github.com/mozilla-mobile/firefox-ios/wiki/Crash-Reporting-with-Sentry

You can turn off crash reporting via a LuLu's settings - which disables it fully, as you can see in the following code:

https://github.com/objective-see/LuLu/blob/acba28bb3e14c1e1ee97a7031cadfabbd3490452/LuLu/Extension/main.m#L49

Regarding "Session Replay" this is not a feature that LuLu uses, nor could it, even it wanted to.

If you read the "Session Replay" documentation, it states that, "Session Replay supports all browser-based JavaScript applications" LuLu is not a JS based app, so "Session Replay" is not even relevant to it.

If you want a build of LuLu w/ out Sentry easy enough - it's open-source! Just remove the dependency on Sentry framework, remove the @import Sentry; and of course the call to kick of the crash reporting ([SentrySDK ...]).

matter your ignoring the point that I was making while picking parts of my examples to reason your ethics. this is spying and basically the only form of spying that your software doesn't alert users of.

LiamKearn commented 1 year ago

Aloha, Please note that LuLu only uses the basic crash reporting features of Sentry.io. Such crash reports do not contain personally identifiable information, but simply the technical information, such as stack back traces and loaded libraries, that lead up to a/the crash. Please learn more about this here (and see that other privacy focused applications like Firefox use Sentry) https://github.com/mozilla-mobile/firefox-ios/wiki/Crash-Reporting-with-Sentry You can turn off crash reporting via a LuLu's settings - which disables it fully, as you can see in the following code: https://github.com/objective-see/LuLu/blob/acba28bb3e14c1e1ee97a7031cadfabbd3490452/LuLu/Extension/main.m#L49

Regarding "Session Replay" this is not a feature that LuLu uses, nor could it, even it wanted to. If you read the "Session Replay" documentation, it states that, "Session Replay supports all browser-based JavaScript applications" LuLu is not a JS based app, so "Session Replay" is not even relevant to it. If you want a build of LuLu w/ out Sentry easy enough - it's open-source! Just remove the dependency on Sentry framework, remove the @import Sentry; and of course the call to kick of the crash reporting ([SentrySDK ...]).

matter your ignoring the point that I was making while picking parts of my examples to reason your ethics. this is spying and basically the only form of spying that your software doesn't alert users of.

It's hardly spying if the source code is deobfuscated on GH or sentry strings are included in a easy check over of the stripped binary and you chose to compile/run it yourself...

It's great that objective-see has made this easy to opt out of, I'd personally still like to see it opt-in but clearly nothing productive will come of arguing over it beyond a polite and rational message of support.

Good security originates from good supply chain and continues with good maintenance. LuLu provides excellent maintenance in (disallow and prompt by default mode) and your responsibility is to vet it (binary and the initial allow lists) when you download it.

PatTheMav commented 1 year ago

As I stated above, I don't mind the use of Sentry and personally I'd probably opt-in, but this is not about what any individual is comfortable with but rather what GDPR states as law applying to all citizens within the EEA (European Economic Area):

In the case of Sentry.io this could be fixed by having a proxy server in the EEC which forwards all Sentry-related data, thus obfuscating any individual IP address:

At least that's my understanding of the regulation after having gone through several compliance processes. Whether the developers of LuLu feel like they want or need to comply with this is up to them. 🤷🏻‍♂️

DaBigBlob commented 10 months ago

@objective-see i kinda guessed you dont actively work on Netiquette so please take a look at: https://github.com/objective-see/Netiquette/issues/12 and https://github.com/objective-see/Netiquette/issues/15

with the sheer depth of assess objective-see software requires, they shouldn't be making ANY outbound requests. including updates or crash reports.

i have immense respect for the work you do but this is an outstanding security concern that hacks away at your reputation.

the request: please remove ALL outbound requests from all objective-see software that requires deep access on the user's system.

objective-see commented 9 months ago

Thank you for your feedback and patience.

All error reporting has been removed from LuLu (https://github.com/objective-see/LuLu/releases/tag/v2.6.0) and Netiquette (https://github.com/objective-see/Netiquette/releases/tag/v2.2.0).

Favor: As there now is no way to see if/when these tools crash, please manually submit any crashes you encounter, so they can be fixed for everybody 🙏🏽