Impact

Under specific circumstances, text composables may contain unmasked sensitive data in Android session replays. You may be impacted if you meet the following conditions:

• Using any sentry-android with versions < 8.14.0
• Using Jetpack Compose >= 1.8.0-alpha08
  • This includes any alpha, beta, release candidate, or general availability after this version
• Have configured Sentry Session Replays for Android

How do I check if I'm impacted?

If you meet the conditions above, the sentry-android package includes a specific error log that would indicate you may be impacted. Customers may use logcat to search for this event.

I'm impacted and want this data deleted

If you've confirmed that you're affected and unmasked sensitive data in Session Replays have reached Sentry servers, you can please see this documentation on deleting individual replays. If you'd like to request bulk deletion, please reach out to your Account Manager or support@sentry.io to request deletion.

Patches

Upgrade the sentry-android SDK to version 8.14.0

Workarounds

We recommend upgrading to the latest version of the SDK, but if it is not an option, customers may either:

• Downgrade their use of Jetpack Compose to <= 1.7.x
• Drop session sample rates to 0.0

options.sessionReplay.onErrorSampleRate = 0.0
options.sessionReplay.sessionSampleRate = 0.0

Please see our documentation for more information configuring Session Replays for Android.

References

This issue was identified in Issue #4467 and fixed in #4485