Looking at the Firebase SDK I am trying to understand technically how Google is identifying the devices of users.
In the documentation I read:
Identifying devices The Google Analytics for Firebase SDK library uses
an app-instance identifier to identify a unique installation of the
App.
When using the SDK, an app-instance identifier gets generated at the
app level.
By default, the Firebase SDK collects identifiers for mobile devices
(for example, Android Advertising ID and Advertising Identifier for
iOS) and utilizes technologies similar to cookies.
On iOS, the SDK collects the Advertising Identifier if it is
available. For IDFA to be available, a developer has to link in the
AdSupport.framework library.
If the Advertising Identifier is unavailable, the SDK collects the
Vendor Identifier. If the Advertising Identifier becomes available
after the Vendor Identifier was reported, the SDK stops collecting the
Vendor Identifier.
By default, on Android the SDK collects the Advertising ID.
From this I understand that it uses:
iOS
On iOS, the SDK collects the Advertising Identifier if it is
available. For IDFA to be available, a developer has to link in the
AdSupport.framework library.
And the question becomes:
how does the iOS AdSupport.framework library generate theuser identifier?
is it really anonymous?
Android
How does "Android Advertising ID" library generate the user identifier?
is it really anonymous?
Any help understanding how this works under the hood would be much appreciated.
Related
A android third party application SDK which is in violation of tracking data like below
MUwS-V: SDK collects a list of installed applications without consent
Location-V: SDK collects location data without consent
MUwS-V: SDK collects a large variety of hardware identifiers including build serial allowing for bridging PII with hardware IDs
How can I suppress / stop this tracking in the SDK and still use the SDK's main functionality? Anyway to control from main application which consumes the SDK?
According to this page, every application submitted to the Play Store must not have the capability to collect both persistent device identifier and Advertising ID. Failure to comply will result in application removal from the Play Store.
Now, I have an application that is collecting persistent device identifier for security purposes, but I still want to use Firebase Crashlytics, as I added the SDK, I noticed that the SDK collects Advertising ID, but I can't find the code that initiate the collection.
So, my question is will the Firebase Crashlytics SDK collect Advertising ID automatically on library inclusion to the app?
If it does, is there any way to disable the collection of Advertising ID?
I have received an warning from Google Play:
Reason for warning: Violation of Usage of Android Advertising ID
policy and section 4.8 of the Developer Distribution Agreement
I have been checking and app should be sending the Android Advertising ID. It has to be a library because I am not doing it.
I use crashlytics and OneSignal and both could be the problem. But I have found in the documentation of OneSignal that the SDK get it:
https://documentation.onesignal.com/docs/handling-personal-data#section-personal-information-sent-as-data-tags
Some data is automatically collected by the OneSignal SDK. For example, on mobile devices this typically include's the device's advertising id, purchases they have made in your app, the timezone setting of the device, and location data (if your app has location permission).
I am trying to disable the SDK continue collecting the advertising identifier but I don't find how to do it. In addition, the list of collected data is not clear because Advertising identifier does not appear:
https://documentation.onesignal.com/docs/data-collected-by-the-onesignal-sdk
I would need to know how to configure OneSignal SDK for not collecting anymore the Advertising identifier.
Thanks.
Google has started emailing apps that use Advertising Id and do not have a privacy policy to tell them they must add a privacy policy.
You can address this by adding a privacy policy to your Play Store listing and in your app. If you do not already have a privacy policy, there are tools available to create one such as http://www.docracy.com/mobileprivacy (free) or https://www.iubenda.com/en/ ($27/yr)
After speaking a little bit more with JonF, he spoke with OneSignal developers and they said that it is possible to avoid sending the Advertising ID changing some lines in the SDK:
Most of the tracking for Android can be removed from registerUserTask
in
https://github.com/OneSignal/OneSignal-Android-SDK/blob/3a4d4353b1d803852e3b9986b828c9b823801ce5/OneSignalSDK/onesignal/src/main/java/com/onesignal/OneSignal.java#L1180-L1182
The problem is that it is not possible to keep the library integrated with gradle, but at least it is a solution.
I have been thinking to implement the change with Reflection but I don't have much time now for it, it could be another way.
Recently, I've been getting a security warning in my Google developer console's Pre-launch report's security tab after uploading the apk. This is the issue:
Sending Device Identifiers
Detected in APK (List of APKs)...
Your app is using device identifiers (IMEI, MAC address, Build Serial, etc.) and sending identifier data to a remote network address.
This issue is commonly (but not only) found in apps using an outdated Advertising SDK.
To stop receiving this warning, try updating or changing any SDKs or code in your app that may be using device identifiers.
Sending device identifiers is not a best practice for most use-cases and if you're using this identifier for advertising purposes, this may be a violation of Google Play policies and can affect your app’s visibility on the Play Store. To get recommendations on how your app can use identifiers, learn about unique identifier best practices.
I'm using the Appsflyer sdk in my project to register user events, tracking installs and uninstalls etc., I'm also using the latest sdks for this. When I remove this sdk, the security issue doesn't show up in the pre-launch report.
When I contacted Appsflyer support team, they mentioned not to use the functions that send IMEI and Android Id data using their API calls, which I didn't include in first place. And also not to include READ_PHONE_STATE permission, which I removed and uploaded to play store again, which resulted in the Security issue.
They also made sure that atleast one device identifier, GAID, Android ID or IMEI, MUST be collected to allow for proper attribution.
In their newer SDK versions, the GAID or Google AID is collected automatically and does not require any specific action on my part.
Is this the reason for the security warning?
Any help is appreciated. Thanks in advance.
I contacted the support team of AppsFlyer and they solved my problem, the solution is basically removing the recollection of IMEI, option that seems to be enabled by default, this is done by placing:
AppsFlyerLib.getInstance().setCollectIMEI(false);
Just above Appsflyer.startTracking call in your OnCreate of the MainActivity (or wherever in the app you've placed the startTracking call)
In my case I was using the segment integration so I placed this just above this line:
Analytics.setSingletonInstance(analyticsBuilder.build());
Hopefully this will help you, otherwise I'd suggest you to contact the support team, they answered me really fast
I'm planning to build an iOS and Android app with custom advertising on some screen. The custom advertising does not use advertising identifier provided by iOS(IDFA) or Android.
my questions are for the app review from both Apple and google,
Should I still need to indicate that my app has advertising?
Is the use of advertising is mandatory in order to provide custom ad that does not use the advertising identifier?
Is it possible that Google or Apple reject the app if i don't use the Advertising identifier but still provide custom ad?