search

BranchMetrics / android-branch-deep-linking-attribution

The Branch Android SDK for deep linking and attribution. Branch helps mobile apps grow with deep links / deeplinks that power paid acquisition and re-engagement campaigns, referral programs, content sharing, deep linked emails, smart banners, custom user onboarding, and more.
https://docs.branch.io/pages/apps/android/
MIT License
399 stars 156 forks source link

Is Branch Android SDK compliant with GDPR? #1161

Closed rexhuang1220 closed 6 months ago

rexhuang1220 commented 8 months ago

Describe the bug

According to the official document, it indicates that Method to change the tracking state. If disabled, the Branch Android SDK will not track any user data or state. The SDK will not send any network calls, except for deep linking, when tracking is disabled.

However, we observe that the SDK still makes API calls when we disable the tracking for testing the deferred deep link case. Furthermore, we found the request body contains GAID when making the API call (v1/install), here is the request body:

{
  "brand": "samsung",
  "model": "SM-M135F",
  "screen_dpi": 450,
  "screen_height": 2199,
  "screen_width": 1080,
  "wifi": true,
  "ui_mode": "UI_MODE_TYPE_NORMAL",
  "os": "Android",
  "os_version": 31,
  "country": "TW",
  "language": "zh",
  "cpu_type": "armv8l",
  "build": "SP1A.210812.016.M135FXXS1AVI1",
  "locale": "zh_TW",
  "connection_type": "wifi",
  "os_version_android": "12",
  "debug": false,
  "partner_data": {},
  "app_version": "1.0.0",
  "initial_referrer": "android-app://com.android.vending",
  "update": 0,
  "environment": "FULL_APP",
  "link_click_id": "1277859295053690554",
  "metadata": {
    "$braze_install_id": "<my braze install ID>"
  },
  "link_identifier": "1277859295053690554",
  "install_referrer_extras": "link_click_id=1277859295053690554&utm_source=app_share&utm_campaign=referafriend&utm_medium=inapp_copy_link",
  "app_store": "PlayStore",
  "advertising_ids": {
    "aaid": "<my GAID>"
  },
  "lat_val": 0,
  "google_advertising_id": "<my GAID>",
  "tracking_disabled": true,
  "sdk": "android5.8.1",
  "branch_key": "<my branch KEY>"
}

As you can see, the request body contains GAID even when "tracking_disabled": true, I doubt is the behavior of Android Branch SDK compliant with GDPR or not.

Steps to reproduce

  1. Disable tracking by calling Branch.getInstance().disableTracking(true)
  2. Click a BranchIO link
  3. Redirect to Google Play Store
  4. Install the target app by adb command
  5. Setup proxy tool to monitor network traffic
  6. Open the target app
  7. We can observe the app makes an API call(v1/install) with GAID in the request body.

Expected behavior

The SDK should not make any API call or it shouldn't send GAID when disabling the tracking

SDK Version

5.8.1

Make and Model

Samsung M13

OS

12

Additional Information/Context

No response

github-actions[bot] commented 6 months ago

This issue has been automatically marked as stale due to inactivity for 60 days. If this issue is still relevant, please respond with any updates or this issue will be closed in 7 days. If you believe this is a mistake, please comment to let us know. Thank you for your contributions.

github-actions[bot] commented 6 months ago

This issue has been closed due to inactivity. If this issue is still relevant, please reopen it or create a new one. Thank you for your contributions.