WorldHealthOrganization
Firebase sends two requests before ToS is accepted
Needs retesting after updating the Firebase libraries: #1632 - see comment.
This is slightly different from #870. With the fix to #870 in PR #897, we are still seeing two requests on iOS sent to Firebase before the ToS are accepted (thanks for @pwicherski for testing):
POST https://firebaseinstallations.googleapis.com/v1/projects/who-myhealth-staging/installations/ HTTP/1.1
Host: firebaseinstallations.googleapis.com
Accept: */*
X-firebase-client: apple-platform/ios apple-sdk/17E255 fire-analytics/6.4.0 fire-fcm/4.3.0 fire-iid/4.3.2 fire-install/1.1.1 fire-ios/6.6.5 flutter-fire-analytics/5.0.11 flutter-fire-fcm/6.0.13 swift/true xcode/11E146
X-firebase-client-log-type: 3
X-Ios-Bundle-Identifier: int.who.WHOMyHealth
Accept-Language: en-us
X-Goog-Api-Key: AIzaSyBivKEuOx764a41g1tK7yYdYtHPz_GZZmY
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Content-Length: 131
User-Agent: WHO%20COVID-19/2 CFNetwork/1125.2 Darwin/19.3.0
Connection: keep-alive
{"appId":"1:1057717871229:ios:6eb7d73a768f00570dc714","fid":"foSXnI_rrkdKvswqhDBZnG","authVersion":"FIS_v2","sdkVersion":"i:1.1.1"}
POST https://firebaselogging-pa.googleapis.com/v1/firelog/legacy/batchlog HTTP/1.1
Host: firebaselogging-pa.googleapis.com
Content-Type: application/x-protobuf
Accept-Language: en-us
Connection: keep-alive
Accept: */*
Content-Encoding: gzip
User-Agent: datatransport/5.1.0 fllsupport/2.0.1 apple/
X-Goog-Api-Key: AIzaSyB4G40IhwotnuD26vAV-0PAxOVr5zn1BCc
Accept-Encoding: gzip
Content-Length: 407
ú
2".13"13.4*2:iPhoneBenZint.who.WHOMyHealthẅÎĠṁ.2©:Jx86_64R*1:1057717871229:ios:6eb7d73a768f00570dc714bint.who.WHOMyHealth60605000 ẀĠ13.4Â8.0ÈŴØâ
11E146-17E255èŵúapple-platform/ios apple-sdk/17E255 fire-analytics/6.4.0 fire-fcm/4.3.0 fire-iid/4.3.2 fire-install/1.1.1 fire-ios/6.6.5 swift/true xcode/11E146 x 8ãṗæñṁṁ.2Ü:Jx86_64R*1:1057717871229:ios:6eb7d73a768f00570dc714bint.who.WHOMyHealth60605000ẀĠ13.4Â8.0ÈŴØâ
11E146-17E255èŵúÆapple-platform/ios apple-sdk/17E255 fire-analytics/6.4.0 fire-fcm/4.3.0 fire-iid/4.3.2 fire-install/1.1.1 fire-ios/6.6.5 flutter-fire-analytics/5.0.11 flutter-fire-fcm/6.0.13 swift/true xcode/11E146 x 8Ŷ æ ĊḂṖ.@Ḃ

We need to find out:
- Are these requests "okay" to be done before the user has accepted ToS?
- If not, how do we remove them, if that is even possible?
By setting -FIRAnalyticsDebugEnabled, OS_ACTIVITY_MODE=enabled and CFNETWORK_DIAGNOSTICS=3 on Xcode I was able to view all requests made by the app on Console, including Firebase analytics events.
Following Firebase official docs I disabled all analytics events logging in an iOS device by setting FIREBASE_ANALYTICS_COLLECTION_DEACTIVATED to YES on Info.plist.
No more events were being logged, but still those two calls to firebaseinstallations.googleapis.com and firebaselogging-pa.googleapis.com kept showing up.
Unless this is a Firebase bug, it leads me to believe that they don't consider tracking installs of an app as part of "analytics user data collection" as the request doesn't seem to contain any user related info, just Firebase's app IDs and keys.
Also the URL used by Firebase for event analytics is app-measurement.com according to: https://stackoverflow.com/questions/54461349/how-to-decrypt-firebase-requests-to-app-measurement-com/54463682#54463682
possibly worth reporting here: https://github.com/firebase/firebase-ios-sdk
If I recall correctly, Firebase support form has a field to select the project the request refers to, so if a ticket there is wanted then someone with access to this Firebase app should raise it.
@brunobowden We were unable to find a way to get this to work with flutter's use of firebase.
However, firebase's privacy rules have changed since we spoke to them before the WHE shift, and you have updated the versions of the firebase native libraries used, so youll need to retest which firebase requests are made before the tos screen is accepted.
Note it differs for android and iOS, and that sometimes they won't be issued right on boot but instead many minutes after start (if you leave it on the tos screen) or when you switch the app to the background.
@epicfaace - I'm working on updating the firebase libs with #1632. After that lands, it would be very helpful if you can look in to this and see if it still happens.
@epicfaace - #1632 has landed, so would you mind testing this again and see if it's still an issue?
@brunobowden I just tested on the latest master, and these requests are still being sent before the ToS has been accepted. To be clear, there appear to be three requests:
However, my initial question still stands. Are these requests "okay" to be done before the user has accepted ToS? Did we receive specific advice that no requests are absolutely allowed to external servers before the user accepts the ToS?
@epicfaace - this is more driven by making it as respectful of privacy as possible. There wasn't any other motivation.
@epicfaace - can you send a PR to add to the documentation on how you tested this. It would be useful to document it so that others can repeat the tests in the future. I think the client/README.md is probably the best spot unless you suggest something else.
By setting
-FIRAnalyticsDebugEnabled,OS_ACTIVITY_MODE=enabledandCFNETWORK_DIAGNOSTICS=3on Xcode I was able to view all requests made by the app on Console, including Firebase analytics events.
@brunobowden I followed @guillermo-varela 's post above. I believe I just set -FIRAnalyticsDebugEnabled with the following instructions: https://stackoverflow.com/questions/43109486/turning-firebase-analytics-on-on-xcode