Security notice: incorrect plugin configuration guidance in SDK 50 migration documentation may expose a sensitive key
Summary
In our migration guide from sentry-expo to @sentry/react-native, we accidentally recommended usage of the authToken
property in the plugin
configuration. This is incorrect. It would cause the auth token being embedded in your app along with the rest of your public app config, which is generated by npx expo config --type public
and accessible at runtime through Constants.expoConfig
.
Nothing that runs on a client device should be considered secure. In this case, it is trivial to extract the public app config from an app binary. Auth tokens, API keys, and any other sensitive values should all be kept on a server and accessed through secure APIs. The correct approach here is to use an environment variable (for example, using secrets on EAS Build). This is set on the developer’s machine or CI worker at build time. It’s important not to include this variable in any application code or configuration that is bundled inside of the app.
This oversight in documentation was Expo’s mistake. We wrote the migration guide and provided it as guidance to the Sentry team for their documentation.
Scope of impact
- If an app is distributed to a store with the Sentry auth token in the embedded app config, a malicious actor could detect this by inspecting the application archive, and then extract the auth token and make API requests to Sentry on your behalf.
- The default scope of access for Sentry organization auth tokens is
org:ci
— which allows for “Source Map Upload, Release Creation”. These permissions are very limited, and a malicious actor would not be able to read any data. The scope of the token that you use may be different, you can verify this in the Sentry dashboard.
How to determine if you are affected
Your app is affected if:
- You used the
@sentry/react-native/expo
config plugin in SDK 50 and set theauthToken
property in your app.json or app.config.js file. You either put the auth token value directly in the configuration file, or you referenced an environment variable containing the auth token in the configuration file. - And you released a build with this configuration.
Your app is not affected if:
- You are using the
@sentry/react-native/expo
config plugin in SDK 50 and used theSENTRY_AUTH_TOKEN
environment variable to set the auth token (as described in the "Using Sentry" guide), and - You did not add the
authToken
property to your app.json or app.config.js file to read theSENTRY_AUTH_TOKEN
from your env. - This does not impact developers that use sentry-expo and the
postPublish
hook — that field is filtered from the public manifest.
Example of an affected configuration (app.json/app.config.js)
export default {
"expo": {
"plugins": [
[
"@sentry/react-native/expo",
{
// Affected: authToken value is present in plugin config.
"authToken": "your-auth-token",
// Or through an environment variable, which is inlined
// when the the public config is evaluated.
// "authToken": process.env.SENTRY_AUTH_TOKEN
}
]
]
}
}
How to proceed if your app is affected
- Delete the
"authToken"
property from your app.json or app.config.js file. - Rotate your auth token on the Sentry dashboard by removing the old token and creating a new token.
- Use the
SENTRY_AUTH_TOKEN
environment variable to set your newly generated auth token. You can set this locally in your shell if you build or publish updates locally, or on EAS Build using secrets.
We hope this post is helpful for you to understand what happened and how/if you need to respond. You can reach out to secure@expo.dev with any follow up questions or concerns.