Why is firebase required for Android ?

[Nik99]

I have one question. Why is the firebase plugin required for this to work ?

At the beginning it sounded suspicious, but after looking at your code i didn't find anything bad.
So, i wanted to ask it first, why do i need it ?

It could be a good thing to explain it on the homepage plugin and on the doc, for people who need the fastest app for critical applications (like me) and cannot add "junk" to the app without a real reason.

Thanks

[facundomedica]

Hi! Firebase is needed for the scanning of codes in Android. We use Firebase ML kit (https://firebase.google.com/docs/ml-kit/) which is the "newer version" of Google's Vision (https://developers.google.com/vision/). In iOS it isn't needed because it has native support for scanning codes.

I will add something explaining this in the readme, thank you!

[Nik99]

Does this make a lot of overhead in terms of speeds ?
Or does it only trigger when the app launches the library ?

[facundomedica]

I don't know, maybe in very low end devices. I have Firebase in all of my apps in production because you need it for basic stuff like push notifications. Adding Firebase is something more or less standard nowadays.

When the app launches it downloads the models needed to scan the codes you want. There's a way of making this faster for the user that downloads it from the Play Store, I will add this too in the readme.

[Nik99]

Thanks! I can now start using this library with the clarifications. :)

[ohir]

Why ML kit? It will bar your plugin from many scenarios, eg. from personal id document scans in Europe.
At least until Google will guarantee that's an exclusive on-device functionality (now it is, but it may change). Also the firebase is a huge dependency.

Have you considered zxing? It is able to process 1D and 2D codes since android api13.

There are two zxing plugin attempts, both defunct now:
https://pub.dartlang.org/packages/zxing
https://pub.dartlang.org/packages/fzxing

More zebra crossing:
https://github.com/zxing/zxing
https://github.com/yuriy-budiyev/code-scanner
https://github.com/journeyapps/zxing-android-embedded/tree/master/sample

:) PS. I know that ML its easier if your app already has dependencies on it. But please look at a standalone reader possibilities. Thx.

[facundomedica]

According to this: https://firebase.google.com/support/privacy/#firebase_is_gdpr_ready is it GDPR compliant? I don't really know much about GDPR, but isn't more Google trustful than zxing?

[ohir]

@facundomedica Good point! While zxing and derivatives are opensourced the effort of compiling them tells me that all but a few would use :aar path. So - yes, indeed. Google's code, even closed, might have higher level of trust.

[facundomedica]

I'll keep this issue opened and will try to do some tests. Not having to install Firebase might improve the onboarding experience

[vin89423]

It is a nice plugin but it not working on device without Google Play Service supported.

[krolaw]

I suggest using Google Mobile Vision instead. I imagine that would address the trust issue and remove the firebase dependency.

[krolaw]

Or, would anyone be interested in helping port the QR portion of the zxing library to Dart? (Someone did it for JS years ago).

[tangxiucai2]

Can we use without ML dependency ??

[OpinionatedGeek]

The dependency on an opaque library for decoding the image is a problem for me too. I'd much rather an open-source library was used, instead of one that might (now or in the future) send unwanted telemetry or training data to Google.

(I realise scanning codes usually isn't that critical an area, but if it's scanning things like encryption keys that can be quite an issue for some people.)

So I'd be keen on a a Flutter solution that didn't depend on Firebase or Play Services.

I like a lot about this library though. It's hard to find a QR decoder for Flutter that uses a Preview widget instead of taking over the entire screen, and a Preview widget is exactly what I'm after.

I've had some success with the com.journeyapps:zxing-android-embedded library mentioned above. Adding these two dependencies:

dependencies {
    implementation 'com.journeyapps:zxing-android-embedded:3.6.0'
    implementation 'com.android.support:appcompat-v7:25.3.1'   // Minimum 23+ is required

to the Android part allowed me to get the QR code (or not) from an image file with the following code:

public String readFromFile(String filename) {
    String code = null;
    try {
      Bitmap bitmap = BitmapFactory.decodeFile(filename);
      File qrFile = new File(filename);
      String contents = null;
      int[] intArray = new int[bitmap.getWidth()*bitmap.getHeight()];
      bitmap.getPixels(intArray, 0, bitmap.getWidth(), 0, 0, bitmap.getWidth(), bitmap.getHeight());

      LuminanceSource source = new RGBLuminanceSource(bitmap.getWidth(), bitmap.getHeight(), intArray);
      BinaryBitmap binaryBitmap = new BinaryBitmap(new HybridBinarizer(source));

      Result result = new QRCodeReader().decode(binaryBitmap);
      code = result.getText();
    } catch (Exception ex) {
      System.err.println("QRCode reading failed with exception: " + ex);
    }

    return code;
}

(It's not production-ready but I had difficulty finding any useful samples so I thought it might be useful here. And the reason for loading it from a file is because the default Camera plugin can only take pictures by saving to a file...)

Is there anything I can do to encourage removing of the Firebase dependency? I don't have the skills to implement the pull request but if I can help...

[facundomedica]

@krolaw Google Mobile Vision is deprecated.

@tangxiucai2 no, sorry.

@OpinionatedGeek thanks for the analysis. According to Google the data is analyzed in-device, meaning that they are not doing anything with your data on the cloud. I agree that for more secure use cases you should have an open source library with its version pinned (to avoid an addition of a backdoor/tracking/malicious code). Anyway, I can't guarantee the security of either options, so I'm not sure what are the next steps.

Maybe the way to go is to encourage reading carefully the terms of privacy of ML Kit?

[OpinionatedGeek]

@facundomedica Thanks for your speedy reply!

Yeah, you're right about pinning the version. I'd also be reluctant to depend on a service like ML Kit that's updated independently of my app - I'd hate to be in the situation where I release my app and all's well for a while, then Google change the binary and T&Cs of ML Kit and suddenly my installed app is depending on privacy behaviour that no longer exists.

I guess this means I need to go further with my zxing experiments, and hook it up to the camera output somehow.

Thanks for your response - I do appreciate it.

[ohir]

I agree with @OpinionatedGeek about sensitive uses of QR/Aztec codes. ML is a big no-no for this.

@facundomedica

"According to Google the data is analyzed in-device, meaning that they are not doing anything with your data on the cloud."

Unfortunately Google nowadays can pull this carpet from under your feet any next day.
Google Voice was hailed as privacy aware as it was "not doing anything extra with your data on the cloud." for incoming call screening. Now G insist of knowing who is calling you even if you're near and ready to answer by yourself.

(In testing cohort, after rolling user may not opt-out)
» "Leave your name for the Google User" Google intercept will be enabled,and can't be disabled even though the option still for the moment appears to be present in the user interface. « [from G.insider]

[facundomedica]

ML Kit is up!