Regarding Use of getSerializable() and Potential Insecure Deserialization in Sentry SDK

[Synctest-hub]

Description

While analyzing our Android application integrated with the Sentry Flutter SDK, we identified potential usage of android.os.Bundle.getSerializable() within internal calls originating from io.sentry.flutter.SentryFlutterPlugin. This appears to present an insecure deserialization risk, potentially allowing arbitrary code execution if untrusted input is processed.

We did not find any such use in our Dart codebase, and during APK decompilation, these flows appear to originate from the native SDK layer. Could you please confirm whether the Sentry Flutter/Android SDK enforces any validation, class whitelisting, or sandboxing when handling deserialized objects via getSerializable()? If not, is there a recommended mitigation or planned fix?

[linear]

DART-192 Regarding Use of getSerializable() and Potential Insecure Deserialization in Sentry SDK

[linear]

JAVA-126 Regarding Use of getSerializable() and Potential Insecure Deserialization in Sentry SDK

[buenaflor]

Transferring this to the Android SDK as it is about Android SDK internals

[markushi]

@Synctest-hub thanks for reaching out!

In general our deserialization logic is strongly typed and whitelisted to a set of known classes (e.g. see implementation here).

From an Android framework perspective android.os.Bundle.getSerializable() only occurs once in our codebase and seems to be unused, we just opened a PR to remove it completely.

I hope this answers all your questions, if not please let us know!