Internal endpoints Disclosed

[Synctest-hub]

Description

While decompiling our APK, we found that in the file path C0/z.java, the following endpoints are present:

"http://10.0.2.2:8969/stream" : "http://localhost:8969/stream"
These appear to be local development endpoints, and we suspect they are internally used by the third-party Sentry Dart SDK. We discovered this in our

APK during a security review.

Could you please confirm if these endpoints are intentionally included and whether their presence in the final APK could pose any potential security or privacy risks?

[linear]

DART-191 Internal endpoints Disclosed

[buenaflor]

They are coming from here: https://github.com/getsentry/sentry-java/blob/d2a266e3b125e6a1c1575328f8cdbf7c5a00cfb7/sentry/src/main/java/io/sentry/SpotlightIntegration.java#L82C1-L94C1

These are part of the endpoint for sending events to Spotlight (developed by us at Sentry), which is a lightweight local development ingest tool where you can send Sentry events to for quick validation of errors. Spotlight is disabled by default.

let me ping someone who can chime in on the security aspect

[Synctest-hub]

Please look into this
Affected Code
File Path: C0/Z.java
// Line 364 HttpURLConnection d9 = SpotlightIntegration.d(
b12.getSpotlightConnectionUrl() != null ?
spotlightIntegration.f7292k.getSpotlightConnectionUrl() :
io.sentry.util.e.f8388a ?
"http://10.0.2.2:8969/stream" :
"http://localhost:8969/stream"
);
Observed Value: http://10.0.2.2:8969/stream

Proof of Concept
Obtain the APK of the Android app from the device or Play Store.
Decompile the APK using tools like jadx, apktool, or MobSF: jadx-gui Example.apk
Navigate to C0/Z.java, line 364.
Observe fallback URL assignment logic involving http://10.0.2.2:8969/stream and http://localhost:8969/stream.
Exploit Scenario
An attacker reverse-engineers the app and identifies this fallback logic.
If debug flags or testing configurations are mistakenly left enabled in production, the attacker may:
Redirect or spoof traffic to a malicious local server emulating 10.0.2.2:8969.
Force the app into debug mode (if toggled by a setting or user input).
Exfiltrate or manipulate data passed through SpotlightIntegration using this debug endpoint.

[linear]

JAVA-127 Internal endpoints Disclosed