Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A GDPR compliant version #1182

Open
qroac opened this issue Jan 14, 2020 · 3 comments
Open

A GDPR compliant version #1182

qroac opened this issue Jan 14, 2020 · 3 comments

Comments

@qroac
Copy link
Contributor

qroac commented Jan 14, 2020
edited

After the big waves tossed by privacy scandals around the medical app ADA (https://www.heise.de/ct/artikel/Massive-privacy-deficiencies-in-the-health-app-Ada-4551629.html) we started investigating the state of privacy of the app built on this kit.
While this kit is really great to work with and expo might be good in development, for building an app that works with customer information and therefor has to respect the GDPR on the european market, expo seems to be a pain in the ass.

  • The standalone app (from exp ba) polls several AWS instances (we logged the traffic).
  • In its privacy policy, expo claims to collect usage statistics containing ips and user interactions, performance metrics and crash reports and to share these with third party vendors like Amazon, Apple, Google and others.
    see https://expo.io/privacy and https://forums.expo.io/t/expo-list-of-vendors/18511
  • It includes SDKs that are not needed for the application itself. e.g. Facebook SDK

I already opened a request to expo to make SDKs and functionality with outbound calls configurable.
expo/expo#6763

In addition to that, to give developers the possibility to avoid expo if they dont want to use it, would it be possible to create a second mobile client working as bare react native app without expo?
@qroac qroac changed the title A version without expo A GDPR compliant version Jan 14, 2020
@larixer
Copy link
Member

larixer commented Jan 14, 2020

@Theweird Yeah, going to pure react native instead of Expo sounds good to me. Though I'm not sure when will we have internal bandwidth at SysGears to make the switch, I will certainly welcome contributions in this direction.

@qroac
Copy link
Contributor Author

qroac commented Jan 18, 2020

My issue in expo/expo was closed with a fortunate message.
Seems they already plan to give developers the opportunity to exclude vendor libs and functions that are not used. So maybe expo will be fine for GDPR in the near future.

@qroac
Copy link
Contributor Author

qroac commented Sep 9, 2020

Update:

expo added a new experimental feature to exclude unused libraries from the APK build.
https://github.com/expo/fyi/blob/master/managed-app-size.md

However, this still leaves 3 statistical trackers in the build.
I added a feature request for options to disable these SDKs as well.
Some upvotes would be great to give it a higher importance.

https://expo.canny.io/feature-requests/p/option-to-exclude-statistic-tracker-in-managed-workflow-gdpr

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@qroac @larixer