Device ID Collection Violates Google Play's User Data Policy

[509dave16]

Summary

Previously for Analytics Android to be compliant the access of Settings.Secure.ANDROID_ID and Build.SERIAL was removed in the following commit : get rid of android id and serial number. Which addressed this common violation: Your app collects or links persistent device identifiers (e.g., IMEI, IMSI, SIM Serial #, etc.)

However in Analytics React Native 2.x.x, Settings.Secure.ANDROID_ID is being directly accessed : AnalyticsReactNativeModule.kt -> getUniqueId .

Which is what theoretically resulted in violations for Analytics Android previously.

This access of Settings.Secure.ANDROID_ID that violates the Google Play User Data policy needs to be addressed.

Details

• analytics-react-native version: 2.2.1
• Integrations versions (if used): N/A
• React Native version: 0.68.0
• iOS or Android or both? Android

Steps to reproduce

• Install any 2.x.x version fof @segment/analytics-react-native.
• Submit Android build to Google Play Store.

Behavior

Expected behavior

No User Data policy violations.

Actual behavior(p.s. theoretically)

We have yet to submit our build of the new app experience containing the upgrade to 2.2.1 for Analytics React Native. But we have already received violation warnings from Google Play on a build of our app for the old experience that's using Analytics Android 4.10.0. So we are anticipating the same warning when we upgrade from Analytics React Native 1.5.2 to 2.2.1 in a build for the new experience of our app:

References

• Google Play User Data Policy
  

[rborn]

I can confirm 🙏

[kuznetsov-from-wonderland]

We have deviceID: null on Android when identify method is called.

[509dave16]

@kuznetsov-from-wonderland Did you choose to pass false for collectDeviceId client option?

[509dave16]

@rborn Thank you so much for providing confirmation on Analytics React Native 2.0 triggering the violation! Can you by chance share a screenshot of the violation? Thanks!

[oscb]

Thanks for the report! we changed the code to comply to Google's User Data policy now in PR: #567 it will be out on the next release of core

[prajeesh-mp]

Thanks for the report! we changed the code to comply to Google's User Data policy now in PR: #567 it will be out on the next release of core

Can we expect an immediate release ?

[rborn]

@509dave16 I'm still on 1.5.0, will update the module and let you know :)
Thank you.

[509dave16]

@oscb Thank you!

@rborn Appreciate the clarification!!

[oscb]

This is released now in v2.2.2.

Let us know if you bump into any issues with it

[509dave16]

@oscb Awesome! Will be testing out the latest release. Will let you know if anything comes up.

[andrewkvavlewhite]

I'm still getting the error when trying to submit with v2.2.2

[509dave16]

@andrewkvavlewhite Can you provide screenshot/copy of the violation warning when you tried submitting your build on Google Play?

[andrewkvavlewhite]

@509dave16 Hey I ended up figuring it out, thanks.

For everyone else who ran into this issue, make sure you run ./gradlew clean and follow these steps from google. Otherwise, the error will persist.

And technically any version of this library v1.5.1 and above should work

[NoRoboto]

@509dave16 Hey I ended up figuring it out, thanks.

For everyone else who ran into this issue, make sure you run ./gradlew clean and follow these steps from google. Otherwise, the error will persist.

And technically any version of this library v1.5.1 and above should work

Hi!, this has been extended for version com.segment.analytics.android:analytics:4.9.3

[dominictobias]

Did anyone find a solution to this? In summary deviceID can look like it could be turned on due to providing a collectDeviceId option so Google scanning gives a false positive? Trying to understand so I can make an appeal.

Why is this an option if it causes apps using segment to get rejected by Google?