I can not find any information for this online so I have resorted to posting here. Past two years of my career as an Android dev, I have been making libraries and SDK's that clients will add as a dependency to their application. Obviously, we as platform owners want to gather any information from an analytic standpoint that will give us better insight to the usage of our modules we offer. Usually this is fine, we will just implement firebase or some other tracking tool and track events we are interested in, and generate a user profile. Here's where my question come in.
Why do security audits always flag this? Every time I have started integrating with bigger companies, their security audit flags that we are collecting analytics data. This gets flagged even when we have communicated this to the client, agreed upon this in signed contracts, and had the client update their EULA to reflect that we will in fact, track data with their dependency on us. The third party compliance company always requires us to remove all tracking data before continuing with the client. The continual message being "you can't gather information on device"
This then becomes a chore where I always have to create some UUID in the dependency, expose it the the customer, then have the customer attach that UUID to events we are interested in. Then we collect the aggregate data at their end of the pipeline. Still requires the customer to update their EULA, and we are technically still collecting data, just not directly. This approach passes the security audit every time. What is the difference? Is this just the way the industry is heading as privacy concerns are more in the spotlight these days? Anyone else have similar experiences / different solutions?
