Some Firebase components are falsely reported as Firebase Analytics

[maxauvy]

Hi there, long time no see! 😄

I've stumbled across an interesting case I wanted to share with you, when analyzing an Android app 🤔

Context

• the app uses Firebase Messaging, to deliver mobile notifications across several platforms (iOS + Android)
• the app makes no use at all of Firebase Analytics, nor any related SDK
• Firebase Messaging can be coupled to Firebase Analytics - it's totally optional, no hard dependency here
• Firebase Messaging uses a small other package to check if the Analytics SDK is present or not : it's called Firebase Analytics Connector - and in my case, it only returns null

Result

• exodus-core looks for (among others) com.google.firebase.analytics.
• the connector package, named com.google.firebase.analytics.connector, triggers the rule as it contains the detection pattern
• the app is flagged as using Firebase Analytics, while the "real" SDK is not embedded at all in the app (I extensively checked), and no tracking nor measurement is done 😅

Do you think something can be done about this? 🙏

[U039b]

Hi @maxauvy! Nice to see you there :) Do you have any, more accurate, detection pattern in mind? Note that in its current implementation, εxodus detection cannot exclude pattern.

[U039b]

Matching on com.google.firebase.analytics.FirebaseAnalytics is probably more accurate.

[maxauvy]

That's what I had in mind, yet I didn't check against any app I know is using Firebase Analytics to confirm it's working as intended.

We could also kindly ask Google to change its packages naming convention, or to be transparent about them adding/changing things in Firebase and the associated or potential side-effects :troll:

[maxauvy]

I ran 4 manual tests, looking for com.google.firebase.analytics.FirebaseAnalytics as a detection pattern as suggested by @U039b.

• 2 apps I know aren't using Firebase Analytics: not found -> OK
• 2 apps I know are using Firebase Analytics: found -> OK

So I guess it would be worth updating the tracker entry in the exodus database. I'll let you confirm it's okay with your own tests, probably more reliable than mine 😁

[ignoramous]

This wrongful detection of labeling apps with "analytics" for using "crashlytics" is causing some of us building FOSS apps a lot of grief, because a few trust whatever Exodus shows them over whatever our code has.