sentry-java icon indicating copy to clipboard operation
sentry-java copied to clipboard

Published 20 hours ago verified publisher icon getsentry

deobfuscate breadcrumb messages and/or data values

Open matejbart opened this issue 4 years ago • 9 comments

Would it be possible to add support for adding obfuscated values in the android breadcrumbs that can be automatically deobfuscated in the sentry reports?

I have stumbled upon this when I tried to implement a breadcrumbs lifecycle tracker for fragment classes (something similar to io.sentry.breadcrumbs.activity-lifecycle), the only way to preserve the class names in the reports was either by adding a proguard rule or by hardcoding the names of those classes.

Unfortunately, both workarounds have their disadvantages:

  • Proguard rules might hinder the obfuscation process, so as a consequence, the app can be easier reverse-engineered if some class/package names are not obfuscated. This trade-off is a no-go for apps with high security standards.
  • Adding hard coded values to represent class names might be very tedious and error-prone, especially for something like the lifecycle tracker if a huge number of fragments is used.

Basically I'm open to any kind of flexible solutions - one could be for example to introduce a function by the sentry lib, that would encapsulate the obfuscated value to indicate that these needs to be deobfuscated while creating the sentry report.

matejbart avatar Dec 02 '20 11:12 matejbart

similar to #942

thanks for raising this, true, this is a limitation and we'll eventually work on it, I don't see any workarounds for now.

Activity breadcrumbs are not obfuscated because the Android tooling adds the rules to exclude from obfuscation by default, but not for Fragments, right now, adding them manually is the only option, I guess.

This will require changes to our symbolication process, I'll try to discuss it internally and let u know asap, thanks.

marandaneto avatar Dec 02 '20 13:12 marandaneto

This came up also here: https://github.com/getsentry/examples/issues/116 I wonder if we could special case at least for NullPointerException. Since we have the full package+class name in there, we could run this through proguard processing during ingestion. /cc @jan-auer @untitaker

bruno-garcia avatar Nov 29 '21 18:11 bruno-garcia

are those proguard names just embedded in another string? is there an example payload?

untitaker avatar Nov 30 '21 13:11 untitaker

also consider doing this for UI event breadcrumbs (#1876)

romtsn avatar Jan 19 '22 08:01 romtsn

@bruno-garcia @marandaneto @romtsn would it be possible, meanwhile, to use fragment.javaClass.canonicalName as the screen property value? At least there would be a chance for us to manually deobfuscate the name, otherwise such UI breadcrumbs are useless when obfuscation is active.

ninniuz avatar Sep 06 '22 11:09 ninniuz

@ninniuz please raise a new issue for that, since they can be fixed separately.

marandaneto avatar Sep 14 '22 09:09 marandaneto

@marandaneto I have opened a feature request in https://github.com/getsentry/sentry-java/issues/2362

ninniuz avatar Nov 15 '22 09:11 ninniuz

@zoesyc @brentc @kahest can we move this issue somewhere from the Android board, because it's actually mostly backend/symbolicator/rust-proguard work and not much on the SDK itself?

romtsn avatar Jan 25 '23 14:01 romtsn

I'm gonna follow up with processing team to see if we can integrate this into symbolicator/symbolication pipeline.

kahest avatar Nov 22 '23 14:11 kahest