Crash reporting SDKs by default capture the full application state at the time of a crash — including Redux stores, navigation state, and any API response bodies that were in memory. If your Redux state holds an auth token or your last API response includes user PII, that data ships to Sentry, Crashlytics, or Bugsnag's servers without any user consent or awareness. GDPR Art. 32 requires appropriate technical measures to protect personal data during processing — sending PII to a third-party crash analytics service without scrubbing is a data transfer that must be disclosed and minimized. CWE-532 (Insertion of Sensitive Information Into Log File) applies directly. OWASP A09 (Security Logging and Monitoring Failures) includes over-logging as a failure mode.
Medium because PII in crash logs requires authenticated access to the crash analytics dashboard to exploit, but represents a GDPR Art. 32 violation and creates data processor obligations with the crash reporting vendor.
Configure a beforeSend hook (Sentry) or equivalent to strip sensitive fields before logs leave the device. Scrub auth tokens, user IDs, and API response bodies that contain PII.
import * as Sentry from '@sentry/react-native'
Sentry.init({
dsn: process.env.SENTRY_DSN,
beforeSend(event) {
// Strip auth tokens from Redux state snapshot
if (event.contexts?.['redux state']) {
const state = event.contexts['redux state'] as Record<string, unknown>
if (state.auth) {
state.auth = { authenticated: !!(state.auth as Record<string, unknown>).token }
}
}
// Redact PII from request/response bodies
if (event.request?.data) {
const data = event.request.data as Record<string, unknown>
if (data.email) data.email = '[REDACTED]'
if (data.phone) data.phone = '[REDACTED]'
}
return event
},
})
For Firebase Crashlytics, use crashlytics().setAttribute() with only non-identifying session metadata — never log full user objects or API responses as custom keys.
ID: mobile-permissions-privacy.privacy-compliance.crash-logs-sanitized
Severity: medium
What to look for: Enumerate all crash reporting/error logging SDKs (Sentry, Firebase Crashlytics, Bugsnag, etc.). For each, check for beforeSend hooks, data scrubbing config, or filtering that redacts sensitive fields (auth tokens, user IDs, email addresses, API responses with PII).
Pass criteria: If using crash logging, at least 1 data filtering mechanism exists (beforeSend hook, scrubber config, or custom filtering) that redacts sensitive data before logs are sent. Report the count even on pass: "Found N crash logging SDKs, all have data filtering configured."
Fail criteria: Any crash logging SDK sends logs that include sensitive data like auth tokens, user email, or full API response bodies containing PII, without filtering.
Skip (N/A) when: App does not use crash logging or error reporting (no Sentry, Crashlytics, Bugsnag, or similar SDK found in dependencies).
Detail on fail: Quote the SDK configuration. Example: "Sentry configured but not filtering auth tokens from Redux state captured in crash logs" or "API error responses containing user PII sent to Crashlytics without redaction"
Remediation: Configure your crash reporting to filter sensitive data:
import * as Sentry from '@sentry/react-native'
Sentry.init({
dsn: 'YOUR_DSN',
beforeSend(event) {
// Redact auth token from context
if (event.contexts?.redux?.state) {
delete event.contexts.redux.state.auth.token
}
// Redact PII from breadcrumbs
event.breadcrumbs = event.breadcrumbs?.map(crumb => {
if (crumb.data?.email) {
crumb.data.email = '[REDACTED]'
}
return crumb
})
return event
},
})