Security notice: incorrect plugin configuration guidance in SDK 50 migration documentation may expose a sensitive key
Summary
In our migration guide from sentry-expo to @sentry/react-native, we accidentally recommended usage of the authToken property in the plugin configuration. This is incorrect. It would cause the auth token being embedded in your app along with the rest of your public app config, which is generated by npx expo config --type public and accessible at runtime through Constants.expoConfig.
Nothing that runs on a client device should be considered secure. In this case, it is trivial to extract the public app config from an app binary. Auth tokens, API keys, and any other sensitive values should all be kept on a server and accessed through secure APIs. The correct approach here is to use an environment variable (for example, using secrets on EAS Build). This is set on the developer’s machine or CI worker at build time. It’s important not to include this variable in any application code or configuration that is bundled inside of the app.
This oversight in documentation was Expo’s mistake. We wrote the migration guide and provided it as guidance to the Sentry team for their documentation.
Scope of impact
- If an app is distributed to a store with the Sentry auth token in the embedded app config, a malicious actor could detect this by inspecting the application archive, and then extract the auth token and make API requests to Sentry on your behalf.
- The default scope of access for Sentry organization auth tokens is
org:ci— which allows for “Source Map Upload, Release Creation”. These permissions are very limited, and a malicious actor would not be able to read any data. The scope of the token that you use may be different, you can verify this in the Sentry dashboard.
How to determine if you are affected
Your app is affected if:
- You used the
@sentry/react-native/expoconfig plugin in SDK 50 and set theauthTokenproperty in your app.json or app.config.js file. You either put the auth token value directly in the configuration file, or you referenced an environment variable containing the auth token in the configuration file. - And you released a build with this configuration.
Your app is not affected if:
- You are using the
@sentry/react-native/expoconfig plugin in SDK 50 and used theSENTRY_AUTH_TOKENenvironment variable to set the auth token (as described in the "Using Sentry" guide), and - You did not add the
authTokenproperty to your app.json or app.config.js file to read theSENTRY_AUTH_TOKENfrom your env. - This does not impact developers that use sentry-expo and the
postPublishhook — that field is filtered from the public manifest.
Example of an affected configuration (app.json/app.config.js)
export default {
"expo": {
"plugins": [
[
"@sentry/react-native/expo",
{
// Affected: authToken value is present in plugin config.
"authToken": "your-auth-token",
// Or through an environment variable, which is inlined
// when the the public config is evaluated.
// "authToken": process.env.SENTRY_AUTH_TOKEN
}
]
]
}
}How to proceed if your app is affected
- Delete the
"authToken"property from your app.json or app.config.js file. - Rotate your auth token on the Sentry dashboard by removing the old token and creating a new token.
- Use the
SENTRY_AUTH_TOKENenvironment variable to set your newly generated auth token. You can set this locally in your shell if you build or publish updates locally, or on EAS Build using secrets.
We hope this post is helpful for you to understand what happened and how/if you need to respond. You can reach out to secure@expo.dev with any follow up questions or concerns.
