Vulnerability of keeping sentry.properties file in the app bundle #280
Comments
github-project-automation
bot
moved this to Needs Discussion
in Mobile & Cross Platform SDK
|
alternatively you can also use |
buenaflor
moved this from Needs Discussion
to Needs More Information
in Mobile & Cross Platform SDK
|
I could use --sentry-defines but it will add another layer of reading this value from a source either on local machine or when this is running on the CI/CD. My question was more in terms of best practices for this file. For example, when one implements Google Analytics via Firebase, the GoogleService-Info.plist and google-services.json files are harmless even if someone gets their hands on these. |
When you create the token, you're assigning permissions to it. Then when you share it (by writing it in a file) and who you share it with, you have to assume they now have the same permissions. Normally in shared/non-private projects, you'd use environment variables for tokens, namely |
Yes that's fine by me if any colleague working with my code is looking at the sentry.properties file. My ask what happens was after deployment to web/iOS/android. Is this .properties file visible when some outside get their hands on the ipa/apk/web-assets and they somehow extract the minified/obfuscated code? |
|
I'll be closing this as this is not Sentry related (properties files are not specific to Sentry) Generally speaking I wouldn't recommend exposing any sensitive data in a file that is shipped with your app. |
github-project-automation
bot
moved this from Needs More Information
to Done
in Mobile & Cross Platform SDK
Since I am placing sentry.properties file in the root of flutter project and it will be a part of my build how vulnerable is it to keep the auth_token in it?
The text was updated successfully, but these errors were encountered: