ACRA collects privacy sensitive value Build.SERIAL

[chkwok]

Describe the bug
ACRA collects Build.SERIAL in bug reports and transmits it over the network. This is done during reflectively collecting fields from Build.*, which is mostly fine but there is a world readable (until API level 26), privacy sensitive identifier in there and Google Play absolutely hates that.

It causes delays in app submission reviews (flagged for manual processing, instead of auto approve in x hours) and you get the vaguest hint which "advertising network" is using a "device identifier", especially if you use pro/dexguard to repackage all classes to a single package.

Your app is using device identifiers (IMEI, MAC address, Build Serial, etc.) and sending identifier data to a remote network address.

This issue is commonly (but not only) found in apps using an outdated Advertising SDK.

Our analysis suggests that for your APK, this behaviour is caused by the Advertising SDK(s) 'boo' although there may be additional SDKs or source code contributing to it. To stop receiving this warning, try updating or changing this (these) SDK(s) and check any other SDKs or code that may be using device identifiers.

Sending device identifiers is not a best practice for most use-cases and if you're using this identifier for advertising purposes, this may be a violation of Google Play policies and can affect your app's visibility on the Play Store.

Expected behavior
Skip the field Build.SERIAL. No touchy!

Version

• Android: up to 8.0 / API 26, after that, it is replaced by a static string "unknown".
• ACRA: any, seen in 5.7.0 (ReflectionCollector.java) and master (ReflectionCollector.kt)

Workaround
Scrub it in a ReportingAdministrator plugin by messing with the CrashReportData values, or ctrl-c ctrl-v ReflectionCollector.java and fix it, can't do it neatly because the class is final.