search

RadarCOVID / radar-covid-android

Native Android app using DP^3T Android sdk to handle Exposure Notifications API from Google
Mozilla Public License 2.0
382 stars 84 forks source link

Presence and potential use of Google's Firebase SDK #20

Closed ComandoLeganes closed 3 years ago

ComandoLeganes commented 4 years ago

Radar Covid for Android has declared a dependency on Google’s Firebase SDK for analytics purposes as indicated in the line 198 and 199 of the graddle configuration.

    // Recommended: Add the Firebase SDK for Google Analytics.
    implementation 'com.google.firebase:firebase-analytics-ktx:17.5.0'

The analysis of the .apk available on Google Play on the 8th of September 2020 (md5=ce999f762890d3f9b7911cb700997019) using static analysis corroborates that the SDK is present in the app as can be inferred from the presence of the following package: com/google/firebase/

Unfortunately, as the code is obfuscated in the current release on the Google Play Store, it cannot be concluded: 1) whether the app version published on Google Play is directly compiled from the source code released today; and, as a result, 2) whether the Firebase SDK is actually invoked from the app.

The presence and use of this SDK is not listed in the current Privacy Policy of the app.

In case that this is legacy code from an older version integrating and using the SDK, or simply dead code, it would be recommendable to remove this dependency. If it is indeed used, it would be recommendable to remove it as well due to the potential privacy risks that incorporating a third-party analytics SDK could cause on end users.

This behavior seems to be prevalent in the iOS app, too, as suggested by this issue.

jorgej-ramos commented 4 years ago

Hi all,

I have reported in iOS something that is practically this same problem. If I read correctly, someone has decompiled the source code of the app published in the Play Store. It would be interesting to find out if there is a Firebase API Key and compare it with the one I have found in outgoing communications headers on iOS

Just to confirm that the use of Firebase not documented.

pablojimpas commented 4 years ago

Exodus Privacy report found both Google Firebase Analytics and Google AdMob for version 1.0.6.

Please consider removing these surveillance capitalism unnecessary dependencies

pantic79 commented 4 years ago

Hello,

the firebase analytics dependency comes from the pilot phase in La Gomera. It was required by crashlytics framework we used to get stack traces from APP crashes in smartphones. Currently this reference is just dead code and will be removed in the next release so, thanks for your suggestion, it will be taken.

Thanks.

j-rivero commented 4 years ago

Thanks for the information @pantic79 . Could you please link the code change (commit or PR) that points to the code removal? We could even leave this issue open until that code is merged/in-release.

pantic79 commented 3 years ago

Here

Thanks,