Google Play Warning: Your app contains URL credentials, which is often unintentional

After adding Sentry to our Android app the Google Play store gives a warning: “Your app contains URL credentials, which is often unintentional.” This is because we defined the Sentry URL in our Application Java Class like this: https://xxxxxxxx:yyyyyyyy@sentry.io.

I’m concerned as these are the full credentials stored pretty much in plain text in the APK. In contrast, in a client-side JavaScript only the first public part of the credentials is exposed. But here it’s the full set of credentials including the "semi-"secret key. Is this expected and/or what is the suggested solution to avoid this?

This is fine. There’s nothing privileged that can be accessed by these keys. raven-js only needs the public portion of the key because it uses CORS for authentication whereas everything else does not.

To be explicit: the use of the private key DOES NOT allow any read access to data. It’s simply a key that allows sending data into Sentry. This key may be revoked, etc. So the worst thing someone could do with it is send annoying data into Sentry. It will never read data back out.

If you wish to not receive this warning, string concatenation can be used as a work around.