Hardcoded tracking to project with token 85053bf24bba75239b16a601d9387e17
marcoboerner opened this issue · 12 comments
The Android SDK seems to be tracking the usage (first integration on a device) of the Mixpanel SDK in a project with the token 85053bf24bba75239b16a601d9387e17, hardcoded at:
../mixpanel-android-7.0.0-sources.jar!/com/mixpanel/android/mpmetrics/MixpanelAPI.java:181
I did not find a way to deactivate that.
@jaredmixpanel @zihejia @csiden not sure if this is true(?), or what your commitment to resolving GH Issues is, but definitely sounds troubling if so and would love to see a response
To summarise:
Every user using the Mixpanel SDK, when the MixpanelAPI class is instantiated, sends an event to https://api.mixpanel.com/track/?ip=1
with content similar to the following (example from my device, base64-decoded).
This is the case even when optOutTrackingDefault
is set to true.
App developers, app users (and probably lawyers...) expect exactly 0 network requests and 0 tracking events to be sent out when there is no opt in.
[
{
"event": "Integration",
"properties": {
"mp_lib": "Android",
"$lib_version": "7.3.1",
"$os": "Android",
"$os_version": "13",
"$manufacturer": "Xiaomi",
"$brand": "POCO",
"$model": "23049PCD8G",
"$screen_dpi": 440,
"$screen_height": 2176,
"$screen_width": 1080,
"$app_version": "3.43",
"$app_version_string": "3.43",
"$app_release": "320",
"$app_build_number": "320",
"$has_nfc": true,
"$has_telephone": true,
"$carrier": "handyvertrag.de",
"$wifi": true,
"$bluetooth_version": "ble",
"token": "85053bf24bba75239b16a601d9387e17",
"distinct_id": "[redacted]",
"Project Token": "[redacted]"
},
"$mp_metadata": {}
}
]
As Mixpanel's code to send the "Integration" event is checking whether a boolean flag was set or not, it seems to be possible to just set this value at Application start. Once the MixpanelAPI class gets instantiated, it will not send the event, because the flag is set.
Not sure what the implications of not sending this event are, though.
val mixpanelProjectToken = "redacted"
getSharedPreferences("com.mixpanel.android.mpmetrics.Mixpanel", MODE_PRIVATE).edit(commit = true) {
putBoolean(mixpanelProjectToken, true)
}
The iOS SDK seems to have the same "Integration" event, but there, it is not being ran when hasOptedOutTracking
is true:
Hey @carstenhag we replied to your support ticket on Tuesday but it looks like you may have not received it. I just forwarded it again. The good news is that there's a new release to cover this: https://github.com/mixpanel/mixpanel-android/releases/tag/v7.3.2
Ah thanks - somehow the mail was sent to an old email address I can not longer access. One of my colleagues did get it. Thank you!
@carstenhag what is the purpose of this tracking? Is there any way to get some transparency about who has access to the project or verify the owner of this API key? We are using this package via the react-native SDK and it's certainly never made clear anywhere that the SDK may send telemetry to a third party every time it's initialised. We need better transparency than this.
@dabrowne I completely agree with you - it was also a surprise to us, we had been sending this event for 2-3 years without knowing it (pretty much illegally as it was without the user opt in).
Pretty sure it's "just" sent to Mixpanel themselves, eg no third party, but it doesn't really make it better.
@carstenhag is there a representative from Mixpanel involved with this project who can join this discussion? This needs to be removed unless it can be reasonably explained.
@patedit this tracks back to #376 from you 8 years ago. Can you chip in?