[willstrafach]

> Does enabling location tracking suddenly causes Firebase to report location data without our knowledge?

> Does enabling calendar access suddenly cause Firebase to read the calendar data on its own and report that, too?

These are good questions to be thinking about. As for Firebase specifically, I have never seen it automatically collect additional data based on user-granted permissions (at least in iOS apps).

However, there may be a few other SDKs with this sort of issue. It is important for app developers to be careful of this.

For example, when working on similar location tracking research (see: https://guardianapp.com/research/ios-app-location-report-sep...), I noticed that quite a few prominent apps use an SDK from “Braze” (https://www.braze.com/), and if location permission was granted to the “host” app, the SDK automatically sends back the user’s GPS coordinates when communicating with the Braze API. I remember at least one such app developer had no idea Braze was doing that and rushed a fix out soonafter to make it stop sending the GPS information to Braze.

I hope we see more pressure on analytics companies to offer more open source SDKs instead of compiled binaries and headers. This sort of issue would be easier to spot and deal with, instead of being unsure what exactly the SDK was doing.

[ChuckMcM]

A hundred times this. One big red flag is if you have a 'free' stack which does something useful for you. It is important to ask if it does something 'useful' for the stack developer who gave it to you to use. Perhaps the most canonical example of this was Facebook giving away "free" internet to under served groups in India. At what point will we have an organization giving away 'free phones' to people as a way of developing demographic data?

On the plus side I think more and more developers and users are becoming aware of the dangers and the actual cost to their privacy and/or brand that these 'free' things expose and so it will perhaps get better.