[vlozko]

As an app developer, what worries me if the third party tools we use do unintended tracking. For example, we use Firebase for tracking crashes and knowing which versions of our apps are being used. We’ve also recently started using them for push notification handling for Android streamlining reasons. In one of the apps I’ve worked on we need location permissions to do geofencing but it’s all local, on device stuff. On the same app we’ve also recently added support for adding/removing calendar events. Again, it’s feature we added that’s local-only and theres’s no data transmission associated with that feature. The only tracking we do is our own home-grown solution that we don’t share externally.

With all that in mind, I’m curious how much of that data does Firebase, aka Google, share with all the rest of its services. Does enabling location tracking suddenly causes Firebase to report location data without our knowledge? Does enabling calendar access suddenly cause Firebase to read the calendar data on its own and report that, too? I’m not at all accusing Firebase of doing anything without knowledge and maybe it may be a “good citizen” with regards to how it manages and accesses (or doesn’t, even if it can) private data but I’m confident that that’s not the case with every third party tracker.

[willstrafach]

> Does enabling location tracking suddenly causes Firebase to report location data without our knowledge?

> Does enabling calendar access suddenly cause Firebase to read the calendar data on its own and report that, too?

These are good questions to be thinking about. As for Firebase specifically, I have never seen it automatically collect additional data based on user-granted permissions (at least in iOS apps).

However, there may be a few other SDKs with this sort of issue. It is important for app developers to be careful of this.

For example, when working on similar location tracking research (see: https://guardianapp.com/research/ios-app-location-report-sep...), I noticed that quite a few prominent apps use an SDK from “Braze” (https://www.braze.com/), and if location permission was granted to the “host” app, the SDK automatically sends back the user’s GPS coordinates when communicating with the Braze API. I remember at least one such app developer had no idea Braze was doing that and rushed a fix out soonafter to make it stop sending the GPS information to Braze.

I hope we see more pressure on analytics companies to offer more open source SDKs instead of compiled binaries and headers. This sort of issue would be easier to spot and deal with, instead of being unsure what exactly the SDK was doing.

[ChuckMcM]

A hundred times this. One big red flag is if you have a 'free' stack which does something useful for you. It is important to ask if it does something 'useful' for the stack developer who gave it to you to use. Perhaps the most canonical example of this was Facebook giving away "free" internet to under served groups in India. At what point will we have an organization giving away 'free phones' to people as a way of developing demographic data?

On the plus side I think more and more developers and users are becoming aware of the dangers and the actual cost to their privacy and/or brand that these 'free' things expose and so it will perhaps get better.