Sensitive Data logged when a background task fails

[asegurola]

Report

SDK Version

6.15.1

What did you do?

We use a static/dynamic security analysis tool on our prod build of the mApp and doing so we got reported an issue related to logs that contained what the tool qualifies as sensitive information.
Looking at the evidence for that it turned out to be related to appsflyer's sdk.
The log seems to be triggered by the OS when a background task fails and ends unexpectedly which trigger a os_log log with the sensitive data.

What did you expect to happen?

I would expect for the appsflyer sdk to handle any potential errors in that background task and end gracefully without triggering any os_log that might contain sensitive data.

What happened instead?

We see an os_log log like this one:

  Task <89F7E6B7-F037-41A3-A001-CE264D7F12DB>.<3> finished with error [-1004] Error Domain=NSURLErrorDomain Code=-1004 \"Could not connect to the server.\" UserInfo={_kCFStreamErrorCodeKey=61, NSUnderlyingError=0x302df0690 {Error Domain=kCFErrorDomainCFNetwork Code=-1004 \"(null)\" UserInfo={_NSURLErrorNWPathKey=satisfied (Path is satisfied), interface: en0[802.11], ipv4, dns, proxy, uses wifi, _kCFStreamErrorCodeKey=61, _kCFStreamErrorDomainKey=1}}, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <>.<3>, _NSURLErrorRelatedURLSessionTaskErrorKey=(     \"LocalDataTask <>.<3>\" ), NSLocalizedDescription=Could not connect to the server., NSErrorFailingURLStringKey=https://ienroe-skadsdk.appsflyersdk.com/api/v2.0/rules?<<<<REMOVED SENSITIVE DATA>>>>>, NSErrorFailingURLKey=https://ienroe-skadsdk.appsflyersdk.com/api/v2.0/<<<<REMOVED SENSITIVE DATA>>>>>...",

[af-obodovskyi]

Does the production build of your application contains AppsFlyerLib.shared().isDebug = true?

[asegurola]

I failed to mention we are using this through the appsflyer flutter sdk (v6.15.1) which in turns uses ios appsflyer_sdk v6.15.1 but since the issue seemed like an iOS specific thing I posted it here.
That being the case, the isDebug prop would map to showDebug in the dart code and we are using it as follows:

AppsFlyerOptions(
    afDevKey: const String.fromEnvironment('APPS_FLYER_DEV_KEY'),
    appId: iosAppId,
    timeToWaitForATTUserAuthorization: 30.0,
    showDebug: kDebugMode,
  )

The kDebugMode is a Flutter constant that would be true only if you are running the app from the IDE in a dev env and false for any adhoc build / testflight prod build.
The security tool found the vulnerability in a testflight/prod build of the app so that should be false.
Which makes sense to me cause if the debug log were activated I am sure the tool would had found many other instances of sensitive data from appsflyer itself being logged.

While googling that log line that starts with Task <some-id>.<> finished with error I found other sdks that had similar issues. The log itself doesn't seem to come from sdk code but from the OS itself when a background task fails unexpectedly. My understanding from skimming through some of the google results is that there is no way to silence it, instead the background task should manage the error properly so that it doesn't get all the way up to the os background task manager.