mixpanel / mixpanel-swift

Official iOS (Swift) Tracking Library for Mixpanel Analytics
https://mixpanel.com
Apache License 2.0
434 stars 234 forks source link

[4.0.0] AutomaticEvents() is unexpectedly creating a SKPaymentTransactionObserver, which it then blocks with sync calls, even if automaticEventTracking is disabled #558

Closed RamblinWreck77 closed 2 years ago

RamblinWreck77 commented 2 years ago

A routine code audit of our 3rd party libraries found some alarming things in the Mixpanel SDK today:

1) AutomaticEvents() appears to always be active even if trackAutomaticEvents: false is set

2) AutomaticEvents is a SKPaymentTransactionObserver, so you guys are watching all of our IAP activity even if we explicitly turn automatic tracking off

3) You make .sync {} calls to awaitingTransactionsWriteLock inside the delegate callbacks, which in our testing blocks the caller thread and hangs our own app's SKPaymentTransactionObserver until your process returns

4) awaitingTransactionsWriteLock is a .utility QoS thread, so all IAP purchase requests are synchronously throttled to .utility QoS which is bad for obvious reasons

I'll be forking the mixpanel SDK to remove the offending code entirely, and to put it kindly we were less than thrilled to find this when we went looking.

I would greatly appreciate a release that totally removes these features and any/all interaction with StoreKit unless we explicitly opt in to it

jaredmixpanel commented 2 years ago

@RamblinWreck77 I just released 4.0.1 with PR https://github.com/mixpanel/mixpanel-swift/pull/559 to address your concerns please let me know if that takes care of it.

RamblinWreck77 commented 2 years ago

@jaredmixpanel That looks much better! Thanks for the quick turnaround on this one.