sentry-java icon indicating copy to clipboard operation
sentry-java copied to clipboard

Published 20 hours ago verified publisher icon getsentry

Consider to remove function call: ActivityManager.getRunningAppProcesses()

Open taolulu opened this issue 3 years ago • 7 comments

Problem Statement

I'v noticed that Sentry-Android using ActivityManager.getRunningAppProcesses() to check process importance since 5.4.3. This behavior is considered a privacy risk in our county.

In China, government forbidden this kind of behavior before user agreed user policies, or your app will be removed form all the local third party app stores. These local third party app stores also warning us, don't abuse getRunningAppProcesses while the app running.

Otherwise, the comment of ActivityManager.getRunningAppProcesses() mentioned that: "this method is only intended for debugging or building a user-facing process management UI", so the way you're using also inconsistent with the author's intent.

So, please consider find an alternative way to replace this function call, thank you🙏

Solution Brainstorm

No response

taolulu avatar Jul 26 '22 07:07 taolulu

Hello @taolulu, I assume an opt-out flag would do the trick, do you agree?

adinauer avatar Jul 27 '22 06:07 adinauer

Hello @taolulu, I assume an opt-out flag would do the trick, do you agree?

It's enough for my use case.

By the way, I need an option to avoid root checker. This function works by collect several packages' info, which also considered a privacy risk behavior 😭. Hope you consider to add this option in the future release.

taolulu avatar Jul 27 '22 09:07 taolulu

@taolulu is your request regarding root checker similar to https://github.com/getsentry/sentry-java/issues/2108 or can the call be in the code and turned off via a flag for your use case?

adinauer avatar Jul 27 '22 10:07 adinauer

No need to remove code, a flag is enough.

taolulu avatar Jul 28 '22 01:07 taolulu

Thank you for clarifying, I'll have to talk about it with the team. We'll update the issue when we know more.

adinauer avatar Jul 28 '22 06:07 adinauer

Our suggestion is to have a flag, that is on by default and can be turned off. The flag could then control multiple features including the root checker. We haven't come up with a good name yet.

One side effect of turning off the getRunningAppProcesses call is that app start duration reports would be wrong due to starts triggered by notifications and similar.

Would you like to open a PR for the flag?

adinauer avatar Aug 17 '22 14:08 adinauer

OK, I'll try to figure it out.

taolulu avatar Aug 18 '22 09:08 taolulu

+1 This causes my app to be rejected by stores.

fzyzcjy avatar Feb 13 '23 13:02 fzyzcjy

Is there any updates? Thanks!

fzyzcjy avatar Feb 13 '23 13:02 fzyzcjy

we don't consider this a high priority issue, so if you're up for a quick PR hiding this behind a flag, we'd gladly accept it.

romtsn avatar Feb 13 '23 13:02 romtsn

Sure, I will submit a PR!

fzyzcjy avatar Feb 14 '23 04:02 fzyzcjy

@romtsn Since I am unfamiliar with sentry codebase, may I know where do you suggest to put that boolean flag? I guess just simply be somewhere near https://github.com/getsentry/sentry-java/blob/4b32504a16c1ffd2325208184a90b34a8252fb02/sentry-android-core/src/main/java/io/sentry/android/core/SentryAndroidOptions.java#L19

fzyzcjy avatar Feb 14 '23 04:02 fzyzcjy

FYI, seems like we found a way to retrieve foreground_importance without violating app stores' requirements. https://stackoverflow.com/a/40804658

@fzyzcjy or @taolulu would you be able to confirm the mentioned^ solution is not gonna be prohibited by the stores? (in this case we would only get our own process information and not all of the running apps)

romtsn avatar Feb 15 '23 11:02 romtsn

We'll ship this as part of the next 7.0 version (most likely 7.0.0-rc.1, coming in a couple of days)

romtsn avatar Oct 23 '23 19:10 romtsn