android-branch-deep-linking-attribution icon indicating copy to clipboard operation
android-branch-deep-linking-attribution copied to clipboard

Published 20 hours ago verified publisher icon BranchMetrics

Is Branch Android SDK compliant with GDPR?

Open rexhuang1220 opened this issue 1 year ago • 1 comments

Describe the bug

According to the official document, it indicates that Method to change the tracking state. If disabled, the Branch Android SDK will not track any user data or state. The SDK will not send any network calls, except for deep linking, when tracking is disabled.

However, we observe that the SDK still makes API calls when we disable the tracking for testing the deferred deep link case. Furthermore, we found the request body contains GAID when making the API call (v1/install), here is the request body:

{
  "brand": "samsung",
  "model": "SM-M135F",
  "screen_dpi": 450,
  "screen_height": 2199,
  "screen_width": 1080,
  "wifi": true,
  "ui_mode": "UI_MODE_TYPE_NORMAL",
  "os": "Android",
  "os_version": 31,
  "country": "TW",
  "language": "zh",
  "cpu_type": "armv8l",
  "build": "SP1A.210812.016.M135FXXS1AVI1",
  "locale": "zh_TW",
  "connection_type": "wifi",
  "os_version_android": "12",
  "debug": false,
  "partner_data": {},
  "app_version": "1.0.0",
  "initial_referrer": "android-app://com.android.vending",
  "update": 0,
  "environment": "FULL_APP",
  "link_click_id": "1277859295053690554",
  "metadata": {
    "$braze_install_id": "<my braze install ID>"
  },
  "link_identifier": "1277859295053690554",
  "install_referrer_extras": "link_click_id=1277859295053690554&utm_source=app_share&utm_campaign=referafriend&utm_medium=inapp_copy_link",
  "app_store": "PlayStore",
  "advertising_ids": {
    "aaid": "<my GAID>"
  },
  "lat_val": 0,
  "google_advertising_id": "<my GAID>",
  "tracking_disabled": true,
  "sdk": "android5.8.1",
  "branch_key": "<my branch KEY>"
}

As you can see, the request body contains GAID even when "tracking_disabled": true, I doubt is the behavior of Android Branch SDK compliant with GDPR or not.

Steps to reproduce

  1. Disable tracking by calling Branch.getInstance().disableTracking(true)
  2. Click a BranchIO link
  3. Redirect to Google Play Store
  4. Install the target app by adb command
  5. Setup proxy tool to monitor network traffic
  6. Open the target app
  7. We can observe the app makes an API call(v1/install) with GAID in the request body.

Expected behavior

The SDK should not make any API call or it shouldn't send GAID when disabling the tracking

SDK Version

5.8.1

Make and Model

Samsung M13

OS

12

Additional Information/Context

No response

rexhuang1220 avatar Jan 22 '24 12:01 rexhuang1220