Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security warning because of insecure HTTP URL in release artifact #3259

Open
G00fY2 opened this issue Mar 8, 2024 · 4 comments
Open

Security warning because of insecure HTTP URL in release artifact #3259

G00fY2 opened this issue Mar 8, 2024 · 4 comments
Labels
Platform: Android Platform: Java Type: Bug Something isn't working

Comments

@G00fY2
Copy link

G00fY2 commented Mar 8, 2024

Integration

sentry-android

Build System

Gradle

AGP Version

8.6

Proguard

Enabled

Version

7.6

Steps to Reproduce

We use AppSweep by Guardsquare for security scans of our Android application. When scanning our minified release APK we see a security warning because of an "insecure HTTP URL" shipped in our code. The reported URL is http://10.0.2.2:8969/stream.

It seems like this was added with the spotlight integration: #3166

We do not use this feature and would like to prevent shipping this URL to avoid issues with security services like e.g. AppSweep or other external security pentests which we regularly need to pass

Expected Result

Sentry SDK does not add insecure HTTP URLs to production code

Actual Result

Minified Android APK contains http://10.0.2.2:8969/stream
@G00fY2 G00fY2 added Platform: Android Type: Bug Something isn't working labels Mar 8, 2024
@markushi
Copy link
Member

@G00fY2 , thanks for reporting!
Yes, this stems from here, although it's worth noting this URL is not being used unless spotlight is explicitly enabled via SentryOptions.

We'll discuss this internally, we could consider moving our SpotlightIntegration into a separate module, allowing you to completely exclude this module from release builds.

@stefanosiano
Copy link
Member

hey @G00fY2 Is it possible to ignore this warning? It is not used at runtime by default anyway

@G00fY2
Copy link
Author

G00fY2 commented Mar 13, 2024
edited
Loading

@stefanosiano Thanks for answering! Since it is not an build or lint warning, it will only show up in security analysis scans of our app artifacts (like AppSweep). We as developers could ignore it, but it adds noise to the results (currently it is the only non HTTPS url "shipped" in our quite large app project).
Also we regularly need to "pass" penetration tests done by external companies (e.g. TÜV) which usually report those issues too. We would like to avoid justifying such findings.

Also on Android we use code shrinking based on R8. Ideally unreachable/unused code should be removable by the shrinker.

@adinauer
Copy link
Member

adinauer commented Mar 14, 2024
edited
Loading

Could we generate a valid SSL cert for a sentry domain like "spotlight.local.sentry.dev" or similar that points to localhost (and another one for Android pointing to the special adress used for accessing the host PC)?

We could then replace all the http URLs with https ones and get rid of the warning.

Caveat: this wouldn't work offline if the DNS entry hasn't been cached yet.

@markushi markushi self-assigned this Mar 20, 2024
@markushi markushi removed their assignment May 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Platform: Android Platform: Java Type: Bug Something isn't working
Projects
GitHub Issues with 👀 2
Status: No status
Mobile & Cross Platform SDK
Status: Needs Investigation
Milestone
No milestone
Development

No branches or pull requests
4 participants
@markushi @G00fY2 @adinauer @stefanosiano