This is a bit alarmist. I develop a popular app that has no advertising but I still ship mixpanel and crashlytics. I do that because I need to know how people are using the app in order to make the app better. That's it. If the app crashes and I don't know about it then I can't fix it and my users would hate me. Without these tools the apps would be worse.
I wouldn't use Crashlytics. I use ACRA (https://github.com/ACRA/acra) for a project that has around 30k active installs.
I also wouldn't use Crashlytics due to a study that we've conducted in the last 3 months on 200 of the most used apps in Germany. We have collected real network traffic with a setup consisting of Wireshark and sslsplit (https://github.com/droe/sslsplit). We have discovered that Crashlytics will send GPS location data alongside bug reports. Probably it tries to collect as much data as possible.
You might have a good excuse, but don't deny what is really going on here.
These "free" analytics services have a dark side. The price for using them is that they get to build profiles of your users, with varying degrees of invasiveness. And once you sign up with them, you are selling out your users.
I believe the point of the article is that the data belongs in 3rd party hands. You might not be doing anything nefarious with the data, but that data does not belong to you and it is outside of your control to protect your users.
Given IP addresses, device identifiers, application identifiers, and timestamps - these 3rd party applications now have some pretty valuable signals that can be aggregated with other signals from other tracking methods to create a detailed profile linking users across devices, browsers, and geo locations.
That is like saying Facebook does not own the content uploaded to it. These analytic tools are the ones doing the collection, at the end of the day it is their data that they allow you to use.
All Customer Data is, or shall be, and shall remain the property of Customer. Customer Data shall not be used by Amplitude or its agents other than in connection with providing the Service or support under the terms of the applicable Order Form and this Agreement. Customer hereby grants Amplitude a non-exclusive, non-transferable, non-sublicensable, worldwide, royalty-free license to use, collect, transfer and process, the Customer Data for the sole purpose of Amplitude providing the Service and support to Customer under the terms of the applicable Order Form and this Agreement. In addition, Customer shall own all right, title and interest to the Results obtained by Customer through Customer’s use of the Service. For purposes of this Agreement, “Results” shall mean the data based on Customer Data resulting from Customer’s use of the Service.
Yep, I agree completely. I work on a relatively well known app, and we use Crashlytics to monitor crashes (duh), and other tracking software to reduce friction in the app.
We don't care who tapped button A instead of button B, we just want to know how many people tapped button A instead of button B.
You don't care, but we can be reasonable sure that Crashlytics has access to that data.
Even if they don't use it that with ill intent themselves (there's really no way to know one way or the other), we can also be reasonably sure that it won't stay secure with them forever.
