Tighten up Sentry error reporting significantly

Author: pimterry

app/src/main/AndroidManifest.xml

@@ -112,6 +112,7 @@
 
         <meta-data android:name="search-engine" android:resource="@xml/noindex" />
 
+        <meta-data android:name="io.sentry.auto-init" android:value="false" />
         <meta-data android:name="io.sentry.enabled" android:value="${sentryEnabled}" />
         <meta-data android:name="io.sentry.dsn" android:value="${sentryDsn}" />
     </application>

app/src/main/java/tech/httptoolkit/android/HttpToolkitApplication.kt

@@ -12,7 +12,6 @@ import com.android.installreferrer.api.InstallReferrerClient.InstallReferrerResp
 import com.android.installreferrer.api.InstallReferrerStateListener
 import com.beust.klaxon.Json
 import com.beust.klaxon.Klaxon
-import io.sentry.Sentry
 import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.withContext
 import net.swiftzer.semver.SemVer
@@ -71,19 +70,19 @@ class HttpToolkitApplication : Application() {
         super.onCreate()
         prefs = getSharedPreferences(HTTP_TOOLKIT_PREFERENCES_NAME, MODE_PRIVATE)
 
-        Thread.setDefaultUncaughtExceptionHandler { _, _ ->
+        initSentry(this)
+
+        val previousUncaughtHandler = Thread.getDefaultUncaughtExceptionHandler()
+        Thread.setDefaultUncaughtExceptionHandler { thread, throwable ->
             prefs.edit { putBoolean(APP_CRASHED_PREF, true) }
+            previousUncaughtHandler?.uncaughtException(thread, throwable)
         }
 
         // Check if we've been recreated unexpectedly, with no crashes in the meantime:
         val appCrashed = prefs.getBoolean(APP_CRASHED_PREF, false)
         prefs.edit { putBoolean(APP_CRASHED_PREF, false) }
 
         vpnWasKilled = vpnShouldBeRunning && !isVpnActive() && !appCrashed && !isProbablyEmulator
-        if (vpnWasKilled) {
-            Sentry.captureMessage("VPN killed in the background")
-            // The UI will show an alert next time the MainActivity is created.
-        }
 
         Log.i(TAG, "App created")
     }

app/src/main/java/tech/httptoolkit/android/ProxyVpnRunnable.kt

@@ -8,11 +8,9 @@ import tech.httptoolkit.android.vpn.SessionHandler
 import tech.httptoolkit.android.vpn.SessionManager
 import tech.httptoolkit.android.vpn.socket.SocketNIODataService
 import io.sentry.Sentry
-import tech.httptoolkit.android.vpn.transport.PacketHeaderException
 import java.io.FileInputStream
 import java.io.FileOutputStream
 import java.io.InterruptedIOException
-import java.net.ConnectException
 import java.net.InetSocketAddress
 import java.nio.ByteBuffer
 
@@ -80,23 +78,8 @@ class ProxyVpnRunnable(
                         packet.limit(length)
                         handler.handlePacket(packet)
                     } catch (e: Exception) {
-                        val errorMessage = (e.message ?: e.toString())
-                        Log.e(TAG, errorMessage)
-
-                        val isIgnorable =
-                            (e is ConnectException && errorMessage == "Permission denied") ||
-                            // Nothing we can do if the internet goes down:
-                            (e is ConnectException && errorMessage == "Network is unreachable") ||
-                            (e is ConnectException && errorMessage.contains("ENETUNREACH")) ||
-                            // Too many open files - can't make more sockets, not much we can do:
-                            (e is ConnectException && errorMessage == "Too many open files") ||
-                            (e is ConnectException && errorMessage.contains("EMFILE")) ||
-                            // IPv6 is not supported here yet:
-                            (e is PacketHeaderException && errorMessage.contains("IP version should be 4 but was 6"))
-
-                        if (!isIgnorable) {
-                            Sentry.captureException(e)
-                        }
+                        Log.e(TAG, e.message ?: e.toString())
+                        Sentry.captureException(e)
                     }
 
                     packet.clear()

app/src/main/java/tech/httptoolkit/android/SentrySetup.kt

@@ -0,0 +1,104 @@
+package tech.httptoolkit.android
+
+import android.content.Context
+import io.sentry.SentryEvent
+import io.sentry.SentryOptions
+import io.sentry.android.core.SentryAndroid
+import tech.httptoolkit.android.vpn.transport.PacketHeaderException
+import java.io.IOException
+import java.net.BindException
+import java.net.ConnectException
+import java.net.SocketException
+import java.net.SocketTimeoutException
+import java.security.cert.CertificateException
+
+/**
+ * Central Sentry configuration. We initialize manually (auto-init is disabled in the
+ * manifest via io.sentry.auto-init) so that we can attach a beforeSend hook. This is the
+ * single place where we filter out expected/unactionable noise and collapse high-cardinality
+ * issues, rather than scattering ignore-checks across individual capture call sites.
+ *
+ * The DSN and enabled flag are still read from the manifest meta-data, so the existing
+ * build-type gating (reporting only in release builds) continues to apply unchanged.
+ */
+fun initSentry(context: Context) {
+    SentryAndroid.init(context) { options ->
+        options.beforeSend = SentryOptions.BeforeSendCallback { event, _ ->
+            if (shouldDropEvent(event)) {
+                null
+            } else {
+                normalizeEvent(event)
+                event
+            }
+        }
+    }
+}
+
+private fun shouldDropEvent(event: SentryEvent): Boolean {
+    val throwable = event.throwable
+    return throwable != null && causedByIgnorableException(throwable)
+}
+
+/**
+ * Walks the full cause chain, so an expected error wrapped in something else is still dropped.
+ */
+private fun causedByIgnorableException(throwable: Throwable): Boolean {
+    var current: Throwable? = throwable
+    val seen = HashSet<Throwable>()
+    while (current != null && seen.add(current)) {
+        if (isIgnorableException(current)) return true
+        current = current.cause
+    }
+    return false
+}
+
+private fun isIgnorableException(e: Throwable): Boolean {
+    val message = e.message ?: ""
+    return when (e) {
+        // Plain connection failures: the upstream/proxy was unreachable, timed out, or the
+        // local address couldn't be bound. All expected for a VPN proxy, nothing to fix here.
+        is SocketTimeoutException -> true
+        is ConnectException -> true
+        is BindException -> true
+
+        // IPv6 isn't supported by our packet parsing yet - known and unactionable.
+        is PacketHeaderException -> message.contains("IP version should be 4 but was 6")
+
+        // Mid-connection socket failures and file-descriptor exhaustion, all expected operationally.
+        is SocketException ->
+            message.contains("Connection reset") ||
+            message.contains("Broken pipe") ||
+            message.contains("EPIPE") ||
+            message.contains("ENETUNREACH") ||
+            message.contains("Network is unreachable") ||
+            message.contains("EMFILE") ||
+            message.contains("Too many open files")
+
+        is IOException ->
+            message.contains("unexpected end of stream") ||
+            message.contains("Too many open files")
+
+        // Android 12+ forbids starting our foreground service from the background. This is a
+        // platform restriction we can't avoid here, so we don't report it as a crash.
+        // (BackgroundServiceStartNotAllowedException is itself an IllegalStateException.)
+        is IllegalStateException -> message.contains("Not allowed to start service")
+
+        else -> false
+    }
+}
+
+/**
+ * Collapse known high-cardinality issues into a single group by giving them a stable
+ * fingerprint, instead of letting dynamic values in the message split one underlying
+ * problem into thousands of separate Sentry issues.
+ */
+private fun normalizeEvent(event: SentryEvent) {
+    val throwable = event.throwable ?: return
+    if (
+        throwable is CertificateException &&
+        (throwable.message ?: "").contains("Proxy returned mismatched certificate")
+    ) {
+        // The message embeds the (always different) cert fingerprints, so group by a fixed key.
+        event.fingerprints = listOf("proxy-cert-mismatch")
+    }
+}

app/src/main/java/tech/httptoolkit/android/main/MainActivity.kt

@@ -34,8 +34,6 @@ import com.google.android.gms.common.GooglePlayServicesUtil
 import com.google.android.material.dialog.MaterialAlertDialogBuilder
 import io.sentry.Sentry
 import kotlinx.coroutines.*
-import java.net.ConnectException
-import java.net.SocketTimeoutException
 import java.security.cert.Certificate
 import java.security.cert.X509Certificate
 import androidx.core.net.toUri
@@ -442,10 +440,7 @@ class MainActivity : ComponentActivity(), CoroutineScope by MainScope() {
 
             mainState = ConnectionState.FAILED
 
-            // We report errors only that aren't simple connection failures
-            if (e !is SocketTimeoutException && e !is ConnectException) {
-                Sentry.captureException(e)
-            }
+            Sentry.captureException(e)
         }
     }
 
@@ -572,8 +567,16 @@ class MainActivity : ComponentActivity(), CoroutineScope by MainScope() {
             // If we tried to enable notifications, and it didn't work (the user
             // ignored us) then try try again.
             requestNotificationPermission(true)
+        } else if (resultCode == RESULT_CANCELED) {
+            mainState = ConnectionState.DISCONNECTED
         } else {
-            Sentry.captureMessage("Non-OK result $resultCode for requestCode $requestCode")
+            val requestName = when (requestCode) {
+                START_VPN_REQUEST -> "start-vpn"
+                INSTALL_CERT_REQUEST -> "install-cert"
+                ENABLE_NOTIFICATIONS_REQUEST -> "enable-notifications"
+                else -> "other"
+            }
+            Sentry.captureMessage("Non-OK result $resultCode for $requestName request")
             mainState = ConnectionState.FAILED
         }
     }
@@ -614,10 +617,7 @@ class MainActivity : ComponentActivity(), CoroutineScope by MainScope() {
 
                 mainState = ConnectionState.FAILED
 
-                // We report errors only that aren't simple connection failures
-                if (e !is SocketTimeoutException && e !is ConnectException) {
-                    Sentry.captureException(e)
-                }
+                Sentry.captureException(e)
             }
         }
     }