I am integrating my Android application with Google Analytics and was wondering what kind of security measures should be taken to avoid my analytics data being deliberately polluted by bad people. Sure, GA data is not production-critical, and there are (hopefully) not too many people running around who do such things just for fun, but still - within reason, I'd like to apply whatever preemptive measures there are.
Right now the only thing that comes to mind is that I should avoid the tracking id falling into bad hands.
Google search results I found only talk about:
protecting the tracking id for webpages - not so much talk about how to do the same for Android applications
setting up a GA filter to include traffic data for my own webpage only - again, this is just for webpages...
When submitting hits from my app, there seem to be two ways for the data to reach the GA servers:
If Google Play Services is not installed, putHit runs and fires an HTTPS query with the hit data. If log level is set to debug, I can see this happening, and the data in the ADB logs, along with the tracking id.
If GPS is installed, that will take care of dispatching presumably also over HTTPS.
So this leads me to think that the best I can do on the application front is to make sure log level is above debug (which is a good idea regardless) and to encrypt the tracking id to at least make it difficult to extract from the APK.
On the GA front, I have not found anything similar to the webpages-filtering solution.
Is there anything else I can do?
After you login into: Google Analytics
Under Admin > View > Filter > New Filter > Custom - you could possibly choose to filter by Application Id.
Application Id i believe is the package name you set in your manifest file.
Again this is not fool-proof:
Anyone else can setup the same Application Id too, but it will require more effort.
Google Analytics - shud hv provided a better way to solve this.
Related
I am having a tough time while analysing store listing for my app with third party referrals. When i am analysing UTM sources under Store analysis in play console I don't see any visitor/ acquisition towards most of my UTM sources except few like "Firebase", "Google", "Other", "Undefined".
There used to be data for other UTM's(Our website, our desktop app) as well in past but not anymore. I wonder what went wrong, it might be possible that these UTM's are tracked under Other category somehow.
We don't have any api call in app to send related events to firebase, are we missing something here, may be install referral api? may be some other api mentioned here https://developers.google.com/analytics/devguides/collection/android/v4/campaigns#general-campaigns, but we never had anything extra apart from setting up firebase in our project, I followed https://firebase.google.com/docs/android/setup.
Is it necessary to send data to google analytics in my case like mentioned here: https://developers.google.com/analytics/solutions/mobile-campaign-deep-link#campaign-tracking, I don't feel it is right as firebase anyways tracking 'visitors' without hitting any app code.
Any suggestion on how to debug it?
I'm surprise to see statistics in Google Analytics page for one of the Android app and noticed the following strange informations
Apple iPhone in Top Device Models
Strange OS names entry in OS Versions :
Macintosh Intel 10.10
Linux x86_64
Windows 7
(not set) (not set)
Note:
I have answered the the current possible solution, but that doesn't make corrections to the available old data sets please let me know any ways to correct the old data sets and get out of the cons mentioned in my answer!
Bots and referral spam are two different things, the answer you posted will only help with bots. I am going to refer to the article about removing referral spam here
Normally we say there are three types of junk visits:
Ghost referrals like the darodar / ilovevitaly / cenoval
Creepy crawlers like semalt (a.k.a. best-seo-solution.com) and fake referrals like maridan.com.ua and blog.ranksonic.com.
Well behaved bots and spiders
Issue Number 1
I suspect data being inserted directly into the Analytics account directly though the measurement protocol. I say this because I have several old Google analytics accounts that are showing hits, the websites for these accounts no longer exist and haven't existed in years. I also have an old application account like yours that no longer has any data sent to it that shows data daily. The only way for data to be inserted into them is if someone is doing it directly, the hits are coming from known referral spam sites (the big list). There has been a lot of talk on the net lately on how to deal with the first two problems. Google has not come with any solution as of my writing this. The article gives a few very good ways of dealing with it. here
Idea of how its done google+ post
Tip: It appears that they are currently only targeting Web Property 1. so if you say make UA--xxxx-2 there will be no spam inserted.
Issue Number 2:
This will be hard to detect, they are actually thing your site. A filter on the known bad crawlers helps.
Issue Number 3
The answer you posted is correct but will only help with this: Bot and Spider Filtering. Its also kind of old.
Note: I have answered my own question for Bot and Spider Filtering , please provide if any better solution for the Cons mentioned below and avoid referral spam
Google Analytics Google team announced Introducing Bot and Spider Filtering to get away with referral spams,bots in Analytics Entries !
Introducing Bot and Spider Filtering
Many of you have shared with us that it’s hard to identify the real
traffic that comes to your pages. That’s why I’m pleased to announce
that we’re adding bot and spider filtering.
You can simply select a new checkbox option which would be included in
the view level of the management user interface. This option would be
labeled "Exclude traffic from known bots and spiders". Selecting this
option will exclude all hits that come from bots and spiders on the
IAB know bots and spiders list. The backend will exclude hits matching
the User Agents named in the list as though they were subject to a
profile filter. This will allow you to identify the real number of
visitors that are coming to your site.
Nestlé has been testing it and has found great benefit:
“The Bot filter solution is essential for getting deeper insights.
View level availability let us stay fully aligned with Best Practices
provided to all site owners. Very easy to use, understand and
communicate across thousands of Google Analytics users.” ~ Katarzyna
Malik, Nestlé Google Analytics Specialist
Happy Analyzing!
Posted by Matthew Anderson, Google Analytics Team
Steps to enable Bot Filtering:
Go Google Analytics home page and click on the Admin tab.Click on View settings
select Bot Filtering to get rid of known bots and spiders option.
This will remove the spam hits from their analytics for only upcoming analytics data. So this solution has two cons!!
Cons:
Historical data will not be affected by this option, i.e. spam hits
which were made in the past will remain in your data, Google will
only filter your future hits.
Google promises to remove hits from known bots, which means that the
time from the new bot appearance to the moment when it will be
included in the Google filter list can be indefinitely long. I use
this solution for the last week though and didn't find any new bots
breaking through the filter
Ref:
SO POST
techcrunch
G+
Blog
i working on android application project that use Google Analytics. Application is still in aplha testing stage. After a few days of tests i noticed that in analytis dashboard is listed an iPhone device but there is no iPhone version of my application. Is it a problem with GA or some problems in my configuration? It's really strange and i'm worried if my application safety.
I will be grateful for any suggestions or informations.
This is so-called referral spam. More information in the bellow links:
http://moz.com/blog/how-to-stop-spam-bots-from-ruining-your-analytics-referral-data
https://megalytic.com/blog/how-to-filter-out-fake-referrals-and-other-google-analytics-spam
http://www.analyticsedge.com/2014/12/removing-referral-spam-google-analytics/
Updated
I've handled this issue like this:
Go to your app view in the Google Analytics.
Open the 'Admin' tab.
Click on 'View settings'.
There will be section called 'Bot Filtering', check the 'Exclude all hits from known bots and spiders' option.
From now on Google will remove the spam hits from their analytics. This solution has two issues, though:
Historical data will not be affected by this option, i.e. spam hits
which were made in the past will remain in your data, Google will
only filter your future hits.
Google promises to remove hits from known bots, which means that the
time from the new bot appearance to the moment when it will be
included in the Google filter list can be indefinitely long. I use
this solution for the last week though and didn't find any new bots
breaking through the filter.
We run a web application with a Java Script- and an Android front end. We use Google IDs with OAuth for authentication. Everything worked find until today authenticaiton suddenly stopped working. There was no new software version deployed or any operational changes. Now, when a user tries to log on via the browser application, Google issues
401. That’s an error.
Error: disabled_client
The OAuth client was disabled.
Request Details
scope=openid profile email
response_type=code
redirect_uri=https://***.net/signin-google
state=***
client_id=******.apps.googleusercontent.com
That’s all we know.
When logging in via Android App, authentication fails too, GoogleAuthUtil.getToken raises an unspecific exception.
I couldn't find much information when googling for this error message. Some say, one should try to change the application name in the consent screen. This didn't help in my case.
In developer console I noticed, that I cannot create a new Client ID for this project. I always get a technical error ("Server Error Whoops! Our Bad.") with a tracking number. Seems to be related.
I have a total of 7 Client IDs registered for this project and 3 public API access keys.
Is it possible, that Google explicitly disabled our project? That's how it actually feels. For what reason? I didn't get any notification. Our product is an application for access control, nothing special or illegal here.
Any ideas? This is a production environment, so for us the problem is absolutely severe.
Thanks for any help!
In the meantime we found out, that our Android App was removed from the Play Store and we got following notification:
This is a notification that your application, <...>, with package ID <...>, has been removed from the Google Play Store.
REASON FOR REMOVAL: Violation of the Personal and Confidential Information provision of the Content Policy.Please refer to the policy help article for more information.
We don't allow unauthorized publishing or disclosure of people's private and confidential information, such as credit card numbers, government identification numbers, driver's and other license numbers, non-public contacts, or any other information that is not publicly accessible.
We are very careful about the data inside our application and we take privacy and security extremely seriously as the hole app is about security and our customer's trust is absolutely essential. However, we recently introduced a feature that periodically sends the LogCat output to our servers for debugging reasons. Our app is in an early preview state which we make clear in the app description. It's used by a very limited number of people as it can only be used with a special piece of hardware we provide. The LogCat output only contains data from the app itself, no confident data of any kind. We published a couple of related apps and not all have the feature even included but all were suspended. However, we guess that this feature is the reason for removing.
Edit
In the meantime we wrote an appeal via the form provided on Google Play. The ban was removed from Google Play and the related Google OAuth Client shortly after.
We were informed, that our App collects names of running tasks and sends them to our servers, which is not the case. However, we used the crittercism library and the crittercism docs suggest to require the "GET_TASKS" permission, what we did. I don't think, that Crittercism is considered as dangerous as it's used by lots of applications. But maybe the combination of a Logging Service on the one hand and the GET_TASKS permission on the other hand, although not dangerous in our case, triggered some automatic rules at Google.
To fix this we simply removed Crittercism and all related permission requirements as it wasn't very useful for us anyways.
I know that when app crashes a bug report is sent to my developer console.
Now I'd like to add a statistics usage function: for example each week app gathers my app's preferences settings and send them to my dev console. This way I could see what users like more and, on the other hand, what has to be improved.
Is it possible with some android function? I know I could do something like send an email, or make an hidden connection to my server but I'd like a more "standard" way (moreover these hidden methods could not be liked by some user)...moreover error logs are sent so there IS a mechanism, problem is if I can attach to it or not
Well, it's not the developer console, but you can use Google Analytics for that. There is an API to use it with Android, explained here: https://developers.google.com/analytics/devguides/collection/android/
It's up to you, what exactly you're gonna track, but it's very easy and for dealing with the statistics you have all the power of Google Analytics at hand.
EDIT: For best results with least effort, you should use the EasyTracker library, which makes sure that communication with the server is done in a separate thread; otherwise you will experience 'hickups' in the UI.