Firebase Analytics Privacy Concerns

[julian-dotcom]

For our React-Native project, we want to use react-native-firebase/app and react-native-firebase/messaging to handle push notification on both iOS and Android.

Our concern, however, is that we have a lot of very privacy minded users that do not want user or app tracking. We're worried that although we do not explicitly install react-native-firebase/analytics, it may still be installed indirectly in some form or another.

When running yarn list | grep firebase this is the output, which is a bit concerning:

├─ @firebase/analytics-compat@0.2.14
│  ├─ @firebase/analytics-types@0.8.2
│  ├─ @firebase/analytics@0.10.8
│  ├─ @firebase/component@0.6.9
│  ├─ @firebase/util@1.10.0
├─ @firebase/analytics-types@0.8.2
├─ @firebase/analytics@0.10.8
│  ├─ @firebase/component@0.6.9
│  ├─ @firebase/installations@0.6.9
│  ├─ @firebase/logger@0.4.2
│  ├─ @firebase/util@1.10.0

We understand that it's possible to add these params to disable auto-tracking on iOS:

<key>FIREBASE_ANALYTICS_COLLECTION_DEACTIVATED</key>
<true/>

But is that enough?

At the end of the day, how do we make sure that users don't use our APK or IPAs, decompile it and find some stuff about Firebase Analytics?

Is this a legitimate concern to have?

To clarify, we don't want to use analytics at all – we're just worried about extra privacy-minded users finding something about analytics and creating a sh*tstorm on Twitter.

[mikehardy]

Hey there 👋

The output here is for the firebase-js-sdk packages:

├─ @firebase/analytics-compat@0.2.14
│  ├─ @firebase/analytics-types@0.8.2
│  ├─ @firebase/analytics@0.10.8
│  ├─ @firebase/component@0.6.9
│  ├─ @firebase/util@1.10.0
├─ @firebase/analytics-types@0.8.2
├─ @firebase/analytics@0.10.8
│  ├─ @firebase/component@0.6.9
│  ├─ @firebase/installations@0.6.9
│  ├─ @firebase/logger@0.4.2
│  ├─ @firebase/util@1.10.0

If you are certain you will only be running on android and ios then you do not need firebase-js-sdk as a fallback package, and these will never be executed. If you want to be extra super sure that nothing there executes then you can use a package.json trick to null out those packages.

Specifically, you can set a resolution strategy for those packages that resolves them to an empty package every time, like so from another project I work on:

https://github.com/ankitects/anki/blob/56dd93b5be107f7fa8cf78affa22f2e93d06b4ad/package.json#L82

...the trick is to just set whatever package names you want to be completely nulled out to that empty package line. I can verify it works in yarn1 and yarn4 at least, unsure on other package managers.

The firebase-js-sdk will not be looking for or respond to any of the AndroidManifest.xml/Info.plist settings as those are for native and firebase-js-sdk is unaware of them.

For native side, I am also privacy-minded and I was the person that implemented all the various plist / manifest toggles you see here in the schema (where you can verify they will be carried into the final merged/built AndroidManifest.xml by unpacking the APK and checking it:

react-native-firebase/packages/app/firebase-schema.json

Lines 8 to 55 in 9c6f607

	"analytics_auto_collection_enabled": {
	"description": "Disable or enable auto collection of analytics data.\n This is useful for opt-in-first data flows, for example when dealing with GDPR compliance. This can be overridden in JavaScript. \n Re-enable analytics data collection, e.g. once user has granted permission.",
	"type": "boolean"
	},
	"analytics_collection_deactivated": {
	"description": "If you need to deactivate Analytics collection permanently in a version of your app.\n This cannot be altered at runtime once set in the config.",
	"type": "boolean"
	},
	"analytics_idfv_collection_enabled": {
	"description": "If you wish to disable collection of the IDFV (Identifier for Vendor) in your iOS app.\n This cannot be altered at runtime once set in the config.",
	"type": "boolean"
	},
	"google_analytics_adid_collection_enabled": {
	"description": " If you wish to disable collection of the Advertising ID in your Android app.\n This cannot be altered at runtime once set in the config.",
	"type": "boolean"
	},
	"google_analytics_ssaid_collection_enabled": {
	"description": "If you wish to disable collection of SSAID (Settings.Secure.ANDROID_ID) in your Android app,.\n This cannot be altered at runtime once set in the config.",
	"type": "boolean"
	},
	"google_analytics_automatic_screen_reporting_enabled": {
	"description": "If you wish to disable automatic screen reporting in your app.\n This cannot be altered at runtime once set in the config.",
	"type": "boolean"
	},
	"google_analytics_registration_with_ad_network_enabled": {
	"description": "For your convenience, on iOS the SDK automatically registers your app with Apple for ad network attribution with SKAdNetwork.\nDefaults to true, include this key as false to disable.",
	"type": "boolean"
	},
	"analytics_default_allow_analytics_storage": {
	"description": "Enables storage (such as app identifiers) related to analytics, e.g. visit duration.",
	"type": "boolean"
	},
	"analytics_default_allow_ad_storage": {
	"description": "Enables storage (such as device identifiers) related to advertising.",
	"type": "boolean"
	},
	"analytics_default_allow_ad_user_data": {
	"description": "Sets consent for sending user data to Google for advertising purposes.",
	"type": "boolean"
	},
	"analytics_default_allow_ad_personalization_signals": {
	"description": "Configure whether a user's Analytics data may be used for personalized advertising in other products.\n If set, may be overridden at runtime by calling setUserProperty on the key 'allow_personalized_ads'",
	"type": "boolean"
	},
	"app_data_collection_default_enabled": {
	"description": "Whether automatic data collection is enabled for all products, unless overridden by product-specific data collection settings.\n Setting this to false is useful for opt-in-first data flows, for example when dealing with GDPR compliance. \nThis may be overridden dynamically in Javascript via automaticDataCollectionEnabled FirebaseAppConfig property.",
	"type": "boolean"
	},

I think the one you call out is the correct one to turn off, however I don't believe it will be necessary if are not including the analytics package. That said you may want to turn off the whole app data collection toggle near the end of that selection.

In the end the only way to be absolutely sure is to do these changes, examine the merged/built AndroidManifest.xml from an APK to make sure it meets your satisfaction, and then to to run the app while sniffing network traffic to make sure it is only contacting expected endpoints