Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Firebase Analytics disabled (acc. firebase instructions) but still positive result reported #107

Closed
JackWeb2018 opened this issue Sep 19, 2018 · 6 comments

Comments

@JackWeb2018
Copy link

I have disabled in the app the firebase analytics as described in the firebase documentation, i.e.


and

=> but the report still hints on included tracker: Google Firebase Analytics

The detection rules hint: com.google.firebase.analytics.|com.google.android.gms.measurement.
=> but acc. to firebase documentation above seems to be the only reliable way to disable firebase analytics

Shouldn't the exodus-privacy tool check for firebase analytics disablement settings, so to report correctly that with above manifest entries no tracker is active?

@Gu1nness
Copy link
Contributor

Gu1nness commented Oct 4, 2018

The static analysis we use only allows us to see if the code signature for Firebase analytics is present in the APK, not that it is disabled in the manifest.
Moreover we do not want to rely on this kind of system : Maybe the docs says that it deactivates the data collection whereas it does not, and we don't want to do that. Our reports would be false. We can't commit ourselves on saying that if a line is present in the manifest, it disables the tracker :)

The most reliable way for you to be sure that Google Firebase Analytics is not present is to completely remove the code that imports it from your code.
We have a tool (running on Linux only though) that allows you to analyze your apk during development : Exodus Standalone.

@pnu-s
Copy link
Member

pnu-s commented Oct 5, 2018

I think it is worth noting as well that it is specified under the list of trackers on the EP reports that the static analysis does not allow to detect whether or not the tracker is active / enabled.

image

@U039b U039b closed this as completed Oct 7, 2018
@tdelmas
Copy link

tdelmas commented Feb 8, 2019

Exodus could detect with the static analysis meta-data android:name="firebase_analytics_collection_deactivated" android:value="true" /> in the AndroidManifest.xml

Cf https://firebase.google.com/support/guides/disable-analytics

Then it could stop report Firebase Analytics. Eventually it could report Firebase

@pnu-s
Copy link
Member

pnu-s commented Feb 23, 2019

Hi @tdelmas,
I think the answer from @Gu1nness explains well why we cannot do such a thing.

@yoshimo
Copy link

yoshimo commented Oct 6, 2019

instead of not reporting such a disabled feature at all, you should mark it as disabled, not green not red , but orange as semi-bad

@tdelmas
Copy link

tdelmas commented Oct 6, 2019

To complete my opinion, less tracking is good, and pushing companies in that way is a good thing. That why counting trackers helps. But in this specific case, where an SDK have tracking capabilities that can be statically disabled, encouraging companies that disabled it is important too: most of those companies will not use an alternative for Firebase, so, in the less tracking options, if disabling Firebase Analytics had an effect, it could push companies in the good direction.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants