Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Presence and potential use of Google's Firebase SDK #20

Closed
ComandoLeganes opened this issue Sep 9, 2020 · 5 comments
Closed

Presence and potential use of Google's Firebase SDK #20

ComandoLeganes opened this issue Sep 9, 2020 · 5 comments

Comments

@ComandoLeganes
Copy link

ComandoLeganes commented Sep 9, 2020
edited
Loading

Radar Covid for Android has declared a dependency on Google’s Firebase SDK for analytics purposes as indicated in the line 198 and 199 of the graddle configuration.

    // Recommended: Add the Firebase SDK for Google Analytics.
    implementation 'com.google.firebase:firebase-analytics-ktx:17.5.0'

The analysis of the .apk available on Google Play on the 8th of September 2020 (md5=ce999f762890d3f9b7911cb700997019) using static analysis corroborates that the SDK is present in the app as can be inferred from the presence of the following package: com/google/firebase/

Unfortunately, as the code is obfuscated in the current release on the Google Play Store, it cannot be concluded: 1) whether the app version published on Google Play is directly compiled from the source code released today; and, as a result, 2) whether the Firebase SDK is actually invoked from the app.

The presence and use of this SDK is not listed in the current Privacy Policy of the app.

In case that this is legacy code from an older version integrating and using the SDK, or simply dead code, it would be recommendable to remove this dependency. If it is indeed used, it would be recommendable to remove it as well due to the potential privacy risks that incorporating a third-party analytics SDK could cause on end users.

This behavior seems to be prevalent in the iOS app, too, as suggested by this issue.
@ComandoLeganes ComandoLeganes changed the title Presence and potential use of Goole's Firebase SDK Presence and potential use of Google's Firebase SDK Sep 9, 2020
@jorgej-ramos
Copy link

Hi all,

I have reported in iOS something that is practically this same problem. If I read correctly, someone has decompiled the source code of the app published in the Play Store. It would be interesting to find out if there is a Firebase API Key and compare it with the one I have found in outgoing communications headers on iOS

Just to confirm that the use of Firebase not documented.

@pablojimpas
Copy link

Exodus Privacy report found both Google Firebase Analytics and Google AdMob for version 1.0.6.

Please consider removing these surveillance capitalism unnecessary dependencies

@pantic79
Copy link
Contributor

Hello,

the firebase analytics dependency comes from the pilot phase in La Gomera. It was required by crashlytics framework we used to get stack traces from APP crashes in smartphones. Currently this reference is just dead code and will be removed in the next release so, thanks for your suggestion, it will be taken.

Thanks.

@j-rivero
Copy link

Thanks for the information @pantic79 . Could you please link the code change (commit or PR) that points to the code removal? We could even leave this issue open until that code is merged/in-release.

@pantic79 pantic79 reopened this Sep 29, 2020
@pantic79
Copy link
Contributor

pantic79 commented Oct 8, 2020

Here

Thanks,

@pantic79 pantic79 closed this as completed Oct 8, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jorgej-ramos @j-rivero @pablojimpas @ComandoLeganes @pantic79