auto collection of android_id is not compliance with privacy policy

[xyz-fly]

针对android 21 以上
采用的版本是：Bom 30.1.0 firebase-crashlytics 18.2.11

我们在使用该Crashlytics SDK时，我们需要先给用户弹出对话框，展示是否同意隐私权益，如果用户同意后，才可以收集像android ID这样的参数。但弹出隐私协议对话框，还需要用户操作，这个过程需要花费一定时间。但是，app却已经开始调用收集android ID的函数方法。我们希望可以改善这块函数方法，不要在用户未同意隐私权益前，调用这段代码。

我们发现，触发这个收集android id的方法来自于CommonUtils.java的如下函数方法调用：

public static boolean isEmulator(Context context) {
final String androidId = Secure.getString(context.getContentResolver(), Secure.ANDROID_ID);
return Build.PRODUCT.contains(SDK)
|| Build.HARDWARE.contains(GOLDFISH)
|| Build.HARDWARE.contains(RANCHU)
|| androidId == null;
}

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

[argzdev]

Translation:

"When we use the Crashlytics SDK, we need to pop up a dialog box for the user to show whether he agrees to the privacy rights. If the user agrees, we can collect parameters such as android ID. However, the pop-up privacy agreement dialog box still requires user operation, and this process takes a certain amount of time. However, the app has already started to call the function method to collect the android ID. We hope to improve this function and do not call this code before the user agrees to the privacy rights."
"We found that the method that triggers this collection of android id comes from the following function method call in CommonUtils.java:"

Thanks for reporting, @xyz-fly. What you can do is refer to our documentation here. You can initially disable firebase_crashlytics_collection_enabled In the application block of your AndroidManifest.xml file

<meta-data
    android:name="firebase_crashlytics_collection_enabled"
    android:value="false" />

Then enable collection through your code when the developer agrees to your privacy rights using: Firebase.crashlytics.setCrashlyticsCollectionEnabled(true)

EDIT: I saw #3320, which looks like even with this configuration, the collection of android ID is not disabled. That being said, I'll reopen this issue for now. Thanks!

[xyz-fly]

Translation:

"When we use the Crashlytics SDK, we need to pop up a dialog box for the user to show whether he agrees to the privacy rights. If the user agrees, we can collect parameters such as android ID. However, the pop-up privacy agreement dialog box still requires user operation, and this process takes a certain amount of time. However, the app has already started to call the function method to collect the android ID. We hope to improve this function and do not call this code before the user agrees to the privacy rights."
"We found that the method that triggers this collection of android id comes from the following function method call in CommonUtils.java:"

Thanks for reporting, @xyz-fly. What you can do is refer to our documentation here. You can initially disable firebase_crashlytics_collection_enabled In the application block of your AndroidManifest.xml file

<meta-data
    android:name="firebase_crashlytics_collection_enabled"
    android:value="false" />

Then enable collection through your code when the developer agrees to your privacy rights using: Firebase.crashlytics.setCrashlyticsCollectionEnabled(true)

EDIT: I saw #3320, which looks like even with this configuration, the collection of android ID is not disabled. That being said, I'll reopen this issue for now. Thanks!

很高兴你快速回复了我的问题。我阅读了你的回复，并按照你说方式尝试补充相关代码。但我发现这并不能解决一开始先调用收集android id的问题。事实上，app在启动的时候，还是会调用到了CommonUtils.java的isEmulator的函数方法，我把调用的截图贴在后面了，希望能对此问题的分析有所帮助。

[mikehardy]

I have linked in here from react-native-firebase (invertase/react-native-firebase#6327), the Huawei app store at least is definitely enforcing this, and google play store has begun enforcing it as well based on my experience with react-native-device-info here react-native-device-info/react-native-device-info#1427

This is a full app rejection issue, if there is any kind of urgency that may be placed on it such that a new patch version of crashlytics is released, that would be great.

[argzdev]

Thanks for the update, @mikehardy & @xyz-fly. I'll be sure to let our engineers know about this.

[ycuwq]

Thanks for the commit, How long is the expected release time?

[argzdev]

We expect this fix to be in a release that is targeted for the week of July 14th. That being said, since this has been merged. I'll be closing this issue now. Thanks!

[zaer22]

@ycuwq 老哥牛啊，我这边也是被华为拒审好几次，提工单也一直没人回，没想到这个问题已经被解决了。

[nuyunhai]

@argzdev Which version is the target version to resolve this problem。I upgrade firebase-bom to 30.2.0，no use however。Or the latest version is still unreleased?

[argzdev]

Hi @nuyunhai, yes, the latest version is still unreleased. The expected target is this week, it should come out soon.

[nuyunhai]

Hi @argzdev ,I find the version of firebase-bom is update today,it's 30.3.0 now. Howerver,i find the problem isn't resolved.Will there be a new version this week?

[ycuwq]

We need this update very much. When will it be updated?

[ycuwq]

I build a crashlytics in master, and it worked. It may help some people.
firebase-crashlytics-18.2.12a.zip
。

[huangnan78100]

Hi @nuyunhai, yes, the latest version is still unreleased. The expected target is this week, it should come out soon.

We need this update very much. When will it be updated?

[chrishopkin-dyson]

@argzdev - We are also waiting on this update, could you confirm when we can expect this fix to be in a release?

[argzdev]

Hi all, apologies for the late response and delayed release. I've followed up with our engineers. The hot fix should be released this week or at most, next week.

[argzdev]

Update: The fix for this is included in Crashlytics version 18.2.12. You may check the release notes here. Thanks!

[nuyunhai]

@argzdev Thanks!I checked it this morning and it's ok now.