fix(session-replay): Add detection for potential PII leaks disabling session replay

Author: philprime

Samples/SentrySampleShared/SentrySampleShared/SentrySDKWrapper.swift

@@ -61,6 +61,8 @@ public struct SentrySDKWrapper {
             )
             let defaultReplayQuality = options.sessionReplay.quality
             options.sessionReplay.quality = SentryReplayOptions.SentryReplayQuality(rawValue: (SentrySDKOverrides.SessionReplay.quality.stringValue as? NSString)?.integerValue ?? defaultReplayQuality.rawValue) ?? defaultReplayQuality
+
+            options.sessionReplay.disableInDangerousEnvironment = false
         }
 
 #if !os(tvOS)

Sources/Swift/Integrations/SessionReplay/SentryReplayOptions.swift

@@ -16,6 +16,7 @@ public class SentryReplayOptions: NSObject, SentryRedactOptions {
         public static let enableViewRendererV2: Bool = true
         public static let enableFastViewRendering: Bool = false
         public static let quality: SentryReplayQuality = .medium
+        public static let disableInDangerousEnvironment: Bool = true
 
         // The following properties are public because they are used by SentrySwiftUI.
 
@@ -215,6 +216,17 @@ public class SentryReplayOptions: NSObject, SentryRedactOptions {
      */
     public var enableFastViewRendering: Bool
 
+    /**
+     * Due to internal changes with the release of Liquid Glass on iOS 26.0, the masking of text and images can not be reliably guaranteed.
+     *
+     * Therefore the session replay integration is disabled by default starting with `8.57.0` as a defensive mechanism.
+     *
+     * - Important: This flag allows to re-enable the session replay integration on iOS 26.0 and later, but please be aware that text and images may not be masked as expected.
+     *
+     * - Note: See [GitHub issues #1234](https://github.com/getsentry/sentry-cocoa/issue/1234) for more information.
+     */
+    public var disableInDangerousEnvironment: Bool
+
     /**
      * Defines the quality of the session replay.
      *
@@ -290,6 +302,7 @@ public class SentryReplayOptions: NSObject, SentryRedactOptions {
             maskAllImages: nil,
             enableViewRendererV2: nil,
             enableFastViewRendering: nil,
+            disableInDangerousEnvironment: nil,
             maskedViewClasses: nil,
             unmaskedViewClasses: nil,
             quality: nil,
@@ -319,6 +332,7 @@ public class SentryReplayOptions: NSObject, SentryRedactOptions {
             enableViewRendererV2: (dictionary["enableViewRendererV2"] as? NSNumber)?.boolValue
             ?? (dictionary["enableExperimentalViewRenderer"] as? NSNumber)?.boolValue,
             enableFastViewRendering: (dictionary["enableFastViewRendering"] as? NSNumber)?.boolValue,
+            disableInDangerousEnvironment: (dictionary["disableInDangerousEnvironment"] as? NSNumber)?.boolValue,
             maskedViewClasses: (dictionary["maskedViewClasses"] as? NSArray)?.compactMap({ element in
                 NSClassFromString((element as? String) ?? "")
             }),
@@ -353,7 +367,8 @@ public class SentryReplayOptions: NSObject, SentryRedactOptions {
         maskAllText: Bool = DefaultValues.maskAllText,
         maskAllImages: Bool = DefaultValues.maskAllImages,
         enableViewRendererV2: Bool = DefaultValues.enableViewRendererV2,
-        enableFastViewRendering: Bool = DefaultValues.enableFastViewRendering
+        enableFastViewRendering: Bool = DefaultValues.enableFastViewRendering,
+        disableInDangerousEnvironment: Bool = DefaultValues.disableInDangerousEnvironment
     ) {
         // - This initializer is publicly available for Swift, but not for Objective-C, because automatically bridged Swift initializers
         //   with default values result in a single initializer requiring all parameters.
@@ -368,6 +383,7 @@ public class SentryReplayOptions: NSObject, SentryRedactOptions {
             maskAllImages: maskAllImages,
             enableViewRendererV2: enableViewRendererV2,
             enableFastViewRendering: enableFastViewRendering,
+            disableInDangerousEnvironment: disableInDangerousEnvironment,
             maskedViewClasses: nil,
             unmaskedViewClasses: nil,
             quality: nil,
@@ -387,6 +403,7 @@ public class SentryReplayOptions: NSObject, SentryRedactOptions {
         maskAllImages: Bool?,
         enableViewRendererV2: Bool?,
         enableFastViewRendering: Bool?,
+        disableInDangerousEnvironment: Bool?,
         maskedViewClasses: [AnyClass]?,
         unmaskedViewClasses: [AnyClass]?,
         quality: SentryReplayQuality?,
@@ -402,6 +419,7 @@ public class SentryReplayOptions: NSObject, SentryRedactOptions {
         self.maskAllImages = maskAllImages ?? DefaultValues.maskAllImages
         self.enableViewRendererV2 = enableViewRendererV2 ?? DefaultValues.enableViewRendererV2
         self.enableFastViewRendering = enableFastViewRendering ?? DefaultValues.enableFastViewRendering
+        self.disableInDangerousEnvironment = disableInDangerousEnvironment ?? DefaultValues.disableInDangerousEnvironment
         self.maskedViewClasses = maskedViewClasses ?? DefaultValues.maskedViewClasses
         self.unmaskedViewClasses = unmaskedViewClasses ?? DefaultValues.unmaskedViewClasses
         self.quality = quality ?? DefaultValues.quality

Sources/Swift/Integrations/SessionReplay/SentrySessionReplay.swift

@@ -1,3 +1,4 @@
+// swiftlint:disable file_length
 import Foundation
 #if (os(iOS) || os(tvOS)) && !SENTRY_NO_UIKIT
 @_implementationOnly import _SentryPrivate
@@ -73,6 +74,18 @@ import UIKit
             SentrySDKLog.debug("[Session Replay] Session replay is already running, not starting again")
             return 
         }
+        
+        // Detect if we are running on iOS 26.0 with Liquid Glass and disable session replay.
+        // This needs to be done until masking for session replay is properly supported, as it can lead
+        // to PII leaks otherwise.
+        if isRunningInDangerousEnvironment() {
+            if replayOptions.disableInDangerousEnvironment {
+                SentrySDKLog.fatal("[Session Replay] Detected environment potentially causing PII leaks, disabling Session Replay. To override this mechanism, set `options.disableInDangerousEnvironment` to `false`")
+                return
+            }
+            SentrySDKLog.warning("[Session Replay] Detected environment potentially causing PII leaks, but `options.disableInDangerousEnvironment` is set to `false`, ignoring and enabling Session Replay.")
+        }
+        
         displayLink.link(withTarget: self, selector: #selector(newFrame(_:)))
         self.rootView = rootView
         lastScreenShot = dateProvider.date()
@@ -369,7 +382,51 @@ import UIKit
             replayMaker.addFrameAsync(timestamp: timestamp, maskedViewImage: maskedViewImage, forScreen: screen)
         }
     }
+    
+    private func isRunningInDangerousEnvironment() -> Bool {
+        // Defensive programming: Assume dangerous environment by default on iOS 26.0+
+        // and only mark as safe if we have explicit proof it's not using Liquid Glass.
+        //
+        // Liquid Glass introduces changes to text rendering that breaks masking in Session Replay.
+        // It's used on iOS 26.0+ UNLESS one of these conditions is met:
+        // 1. UIDesignRequiresCompatibility is explicitly set to YES in Info.plist
+        // 2. The app was built with Xcode < 26.0 (DTXcode < 2600)
+        
+        // First check: Are we even on iOS 26.0+?
+        guard #available(iOS 26.0, *) else {
+            // Not on iOS 26.0+ - safe to use Session Replay
+            return false
+        }
+        
+        // We're on iOS 26.0+ - assume dangerous unless proven otherwise
+        guard let infoDictionary = Bundle.main.infoDictionary else {
+            // Can't read Info.plist - stay defensive
+            SentrySDKLog.debug("[Session Replay] Running on iOS 26.0+ but cannot read Info.plist - treating as dangerous")
+            return true
+        }
+        
+        // Safety check 1: Is compatibility mode explicitly enabled?
+        if let requiresCompatibility = infoDictionary["UIDesignRequiresCompatibility"] as? Bool,
+           requiresCompatibility == true {
+            SentrySDKLog.debug("[Session Replay] Running on iOS 26.0+ with UIDesignRequiresCompatibility=YES - safe to use")
+            return false
+        }
+        
+        // Safety check 2: Was the app built with an older Xcode version?
+        // DTXcode format: Xcode 16.4 = "1640", Xcode 26.0 = "2600"
+        if let xcodeVersionString = infoDictionary["DTXcode"] as? String,
+           let xcodeVersion = Int(xcodeVersionString),
+           xcodeVersion < 2_600 {
+            SentrySDKLog.debug("[Session Replay] Running on iOS 26.0+ but built with Xcode \(xcodeVersionString) (< 26.0) - safe to use")
+            return false
+        }
+        
+        // No safety conditions met - treat as dangerous
+        SentrySDKLog.debug("[Session Replay] Running on iOS 26.0+ with Liquid Glass likely active - blocking Session Replay")
+        return true
+    }
 }
 // swiftlint:enable type_body_length
 
 #endif
+// swiftlint:enable file_length

Tests/SentryTests/Integrations/SessionReplay/SentryReplayOptionsTests.swift

@@ -16,6 +16,7 @@ class SentryReplayOptionsTests: XCTestCase {
         XCTAssertTrue(options.maskAllImages)
         XCTAssertTrue(options.enableViewRendererV2)
         XCTAssertFalse(options.enableFastViewRendering)
+        XCTAssertTrue(options.disableInDangerousEnvironment)
 
         XCTAssertEqual(options.maskedViewClasses.count, 0)
         XCTAssertEqual(options.unmaskedViewClasses.count, 0)
@@ -850,4 +851,58 @@ class SentryReplayOptionsTests: XCTestCase {
         // -- Assert --
         XCTAssertNil(options.sdkInfo)
     }
+    
+    // MARK: disableInDangerousEnvironment
+    
+    func testInit_disableInDangerousEnvironment_shouldDefaultToTrue() {
+        // -- Act --
+        let options = SentryReplayOptions()
+        
+        // -- Assert --
+        XCTAssertTrue(options.disableInDangerousEnvironment)
+    }
+    
+    func testInit_disableInDangerousEnvironment_whenSetToFalse_shouldAllowOptIn() {
+        // -- Act --
+        let options = SentryReplayOptions(
+            sessionSampleRate: 1.0,
+            onErrorSampleRate: 1.0,
+            disableInDangerousEnvironment: false
+        )
+        
+        // -- Assert --
+        XCTAssertFalse(options.disableInDangerousEnvironment)
+    }
+    
+    func testInitFromDict_disableInDangerousEnvironment_whenValidValue_shouldSetValue() {
+        // -- Act --
+        let optionsTrue = SentryReplayOptions(dictionary: [
+            "disableInDangerousEnvironment": true
+        ])
+        let optionsFalse = SentryReplayOptions(dictionary: [
+            "disableInDangerousEnvironment": false
+        ])
+        
+        // -- Assert --
+        XCTAssertTrue(optionsTrue.disableInDangerousEnvironment)
+        XCTAssertFalse(optionsFalse.disableInDangerousEnvironment)
+    }
+    
+    func testInitFromDict_disableInDangerousEnvironment_whenInvalidValue_shouldUseDefaultValue() {
+        // -- Act --
+        let options = SentryReplayOptions(dictionary: [
+            "disableInDangerousEnvironment": "invalid_value"
+        ])
+        
+        // -- Assert --
+        XCTAssertTrue(options.disableInDangerousEnvironment)
+    }
+    
+    func testInitFromDict_disableInDangerousEnvironment_whenNotSpecified_shouldUseDefaultValue() {
+        // -- Act --
+        let options = SentryReplayOptions(dictionary: [:])
+        
+        // -- Assert --
+        XCTAssertTrue(options.disableInDangerousEnvironment)
+    }
 }

Tests/SentryTests/Integrations/SessionReplay/SentrySessionReplayIntegrationTests.swift

@@ -30,7 +30,7 @@ class SentrySessionReplayIntegrationTests: XCTestCase {
         }
 
         if #available(iOS 26.0, tvOS 26.0, macCatalyst 26.0, *) {
-            throw XCTSkip("When running the unit tests on iOS 26.0, tvOS 26 or macCatalyst 26.0 with Xcode 26.0, we get warning log messages on the console: 'nw_socket_set_connection_idle [C1.1.1.1:3] setsockopt SO_CONNECTION_IDLE failed [42: Protocol not available]'. This leads to test failures in CI. Therefore, we skip these for now. We are going to fix this with https://github.com/getsentry/sentry-cocoa/issues/6165.")
+            throw XCTSkip("When running the unit tests on iOS 26.0, tvOS 26 or macCatalyst 26.0 with Xcode 26.0, we get warning log messages on the console: 'nw_socket_set_connection_idle [C1.1.1.1:3] setsockopt SO_CONNECTION_IDLE failed [42: Protocol not available]'. This leads to test failures in CI. Therefore, we skip these for now. We are going to fix this with https://github.com/getsentry/sentry-cocoa/issues/6165. Note: Session Replay is also disabled by default on iOS 26 due to Liquid Glass rendering changes.")
         }
 
         uiApplication = TestSentryUIApplication()

Tests/SentryTests/Integrations/SessionReplay/SentrySessionReplayTests.swift

@@ -551,6 +551,53 @@ class SentrySessionReplayTests: XCTestCase {
     private func assertFullSession(_ sessionReplay: SentrySessionReplay, expected: Bool) {
         XCTAssertEqual(sessionReplay.isFullSession, expected)
     }
+    
+    // MARK: - iOS 26 Liquid Glass Detection Tests
+    
+    @available(iOS 26.0, *)
+    func testBlocksSessionReplayOnIOS26WithLiquidGlass() {
+        // This test will only run on iOS 26.0+
+        // It tests that session replay is blocked when Liquid Glass is detected
+        let fixture = Fixture()
+        let sut = fixture.getSut(options: SentryReplayOptions(sessionSampleRate: 1, onErrorSampleRate: 1))
+        
+        // Attempt to start session replay
+        sut.start(rootView: fixture.rootView, fullSession: true)
+        
+        // Verify that session replay did not actually start
+        // (it should have been blocked by isRunningInDangerousEnvironment)
+        XCTAssertFalse(fixture.displayLink.isRunning())
+    }
+    
+    @available(iOS 26.0, *)
+    func testAllowsSessionReplayOnIOS26WhenDisabledViaOption() {
+        // This test verifies that users can explicitly opt-in to session replay on iOS 26
+        let fixture = Fixture()
+        let options = SentryReplayOptions(sessionSampleRate: 1, onErrorSampleRate: 1)
+        options.disableInDangerousEnvironment = false
+        let sut = fixture.getSut(options: options)
+        
+        // Attempt to start session replay
+        sut.start(rootView: fixture.rootView, fullSession: true)
+        
+        // Verify that session replay started despite iOS 26
+        XCTAssertTrue(fixture.displayLink.isRunning())
+    }
+    
+    func testAllowsSessionReplayOnIOS25AndEarlier() throws {
+        // This test runs on iOS < 26 and verifies session replay works normally
+        if #available(iOS 26.0, *) {
+            throw XCTSkip("This test is for iOS < 26.0")
+        }
+        
+        let fixture = Fixture()
+        let sut = fixture.getSut(options: SentryReplayOptions(sessionSampleRate: 1, onErrorSampleRate: 1))
+        
+        // Session replay should start normally on older iOS versions
+        sut.start(rootView: fixture.rootView, fullSession: true)
+        
+        XCTAssertTrue(fixture.displayLink.isRunning())
+    }
 }
 
 #endif