Copy link to clipboard
Copied
Hey Folks,
I work at a publisher for mobile games, we have some AIR games in our portfolio and need to make sure that all our apps comply with the new european GDPR law and accompanying Google and Apple software policies. This means that mobile apps cannot make ANY network calls without first informing the user why they are needed and we need to ask for explicit permission first. However, whenever we start one of our AIR apps on a mobile device it automatically makes a network call to https://airdownload2.adobe.com. Can anyone tell me what this call is for and how we can disable it? If we cannot disable it then we may have to pull all our AIR apps from Google Play and the iOS app store since cannot risk any lawsuits, so an answer would be much appreciated.
Thanks!
According to Adobe this has been fixed with AIR 31 :D. It took a while, but big thanks for responding and solving the problem Adobe!
Issue tracker: Tracker
Copy link to clipboard
Copied
Hey, as many others we are also currently preparing for the new rules. Can you link a source where it says you can not have any network calls before approval of the users? Also, our understanding currently is that it would be sufficient to link the terms of service in the app description to state that using the app requires consent with those.
Copy link to clipboard
Copied
Additionally, in response to the GDPR law Google created their own software policies, these are even more strict and explicit than the GDPR law. The information is unfortunately spread out over multiple blog posts, articles and announcements, you can find most of the information here:
Google Online Security Blog: Additional protections by Safe Browsing for Android users
Unwanted Software Policy | Google – Google
Privacy, Security, and Deception - Developer Policy Center
Android will flag snooping apps that don’t warn users
What it boils down to is that you cannot collect ANY information or make any network calls before informing the user and asking for consent. Our legal department has evaluated the situation and we are now making sure that all of our apps don't make any network calls whatsoever before a popup is shown to the user and consent is given.
*There is a sound reason for this: if a company collects data while you are browsing "anonymously" and they link that data to your ip, then later if you log in to one of their services with the same ip you identify yourself and they can link your "anonymous" data to your logged in identity. This is why even a dynamic ip is seen as personal information and logging it without prior warning and consent is illegal. Ofcourse there is a difference between websites and apps, websites cannot work at all without you making a request and them knowing your ip (so they can receive the ip address but not log it or store it), apps however should not need to make any network calls for them to be able to start.
Copy link to clipboard
Copied
Bump. This needs to be cleared up before 25 May 2018 when the GDPR law is enforced. If Adobe does not respond to this we as a publisher may be forced to delete all our AIR apps from the Google Play and Apple App Store so that we do not risk lawsuits and damage to our reputation both with Google/Apple and towards our customers (we do not want any of our apps flagged for privacy violations).
This requires an official response from Adobe and appropriate action. If this issue is not addressed then we as a publisher, our developers and many other AIR developers will be directly affected and may incurr significant losses in our business and income. If this is the case then I expect people will hold Adobe accountable. A response from Adobe would be prudent, if there is any way to escalate this message so that we can get an official response that would be much appreciated.
I've also created a bug tracker here: Tracker
Copy link to clipboard
Copied
This actuall does seem like a perfect case of legitimate interests. It's the only way to make the app work properly. Without this the app couldn't work at all.
Copy link to clipboard
Copied
@Swyze: Do you know what this network call is used for?
If it's for updates, apps published with a captive AIR runtime do not need updates to work properly. They also work perfectly fine offline without the need for any network calls.
If the call is for analytics, that's not a legitimate interest, that's exactly and explicitly what the GDPR and Google/Apple software policies intend to prevent.
I don't agree these would be cases for legitimate interests unfortunately.
Copy link to clipboard
Copied
a network call "as is" does not fall under GDPR
eg. https://airdownload2.adobe.com
without query parameters in a GET request
or body data in a POST request
does not transfer user data to an adobe server
unless PII are passed to the URL call there is no need to worry about GDPR
have a look at
Adobe Analytics and General Data Protection Regulation (GDPR)
Copy link to clipboard
Copied
Hey zwetan_uk​, thanks for the feedback.
Any network call identifies the user to the receiver. If the ip is logged then that is data collection. There have been court cases about this, even dynamic ip's have been ruled to be "personal information", so they cannot be collected. At this point we have no idea what the call is being made for so we also don't know if ip's are being logged.
Unfortunately we don't just have to contend with the GDPR, there's also Google and Apple's own software policies, which are even more explicit and restrictive (see the links in my earlier post). Google will label apps as violating user's privacy if they don't first show a consent popup, which will also negatively affect their search rankings and make them ineligible for a feature.
What's frustrating is that we don't know what this call is being made for at all: analytics, updates or whatever it may be. Developers have no choice to opt-in/out. We never requested or enabled analytics by Adobe, also we don't have access to the data so we have no idea what is being collected.
If the call is being made for Analytics, as the link you provided implies, then that is actually a problem.
Copy link to clipboard
Copied
I'm not gonna go too much in depth about it and I'm not a lawyer
yes, an IP address is considered as personal information (or personal data)
and GDPR is clear: no personal data without consent
but when your AIR app initialise a connection to Adobe server
you as a software provider you do not either collect or process the data
if any data was sent during this network call
Adobe on the other end is to be considered as a data collector (controller)
they are the one who stores the IP address on their server logs
and technically they may not store the full IP address
for example (like with google analytics) you can anonymize an IP address
by removing the last 2 bytes
eg. 192.168.1.1 (full)
vs 192.168.0.0 (last 2 bytes removed and so anonymized)
For other things Adobe is also to be considered a data processor
and they cover it with great extend on their privacy pages
Desktop App Usage Information FAQ
EU-U.S. Privacy Shield/European data transfers
General data protection regulation, GDPR | Adobe Privacy Center
but more importantly, you have the right to store the IP address on a server log
as long as it is used for the security of the system
see
https://www.ctrl.blog/entry/gdpr-web-server-logs
You can’t collect and store any personal data without having obtained, and being able to document that you obtained, consent from the persons you’re collecting data from. You can, however, collect and store personal data as part of web servers logs for the purposes of detecting and preventing fraud and unauthorized access and maintaining the security of your systems.
but again it is not your server collecting the data
Copy link to clipboard
Copied
Hey zwetan_uk​,
Appreciate your arguments . Unfortunately Google is very clear about this, no matter which SDK's, libraries or tools you include in your app, only you as the app's developer will be held responsible for the behaviour of the app. In this case that includes passing data to a "data processor", which appears to be exactly what these policies intend to prevent. That's why we're so strict on this.
Copy link to clipboard
Copied
it would be nice to have more details where it does happen,
my guess is with an .air installed on the desktop
couple of possible solutions
publish a captive runtime / bundle
which you need to build a custom installer anyway
in the custom installer define an EULA
where you inform the user of what personal data is tracked/collected/stored/etc.
and the user HAS TO consent to install
if you absolutely need to publish an .air
then at the download screen inform the user
that by installing this software this and that personal data
will be collected/stored/etc.
clicking the download link is imho not enough to express consent
so you should do the double opt-in
see GDPR Email Consent - Double Opt-in / Soft opt-in Explained - Mailjet
Double opt-in is when individuals need to confirm their email address before being added to your email list and receive email communication from you. It is the double confirmation of their subscription to your newsletter or any services needing their email details. Using double opt-in in email marketing is a good way to ensure compliance regarding consent under GDPR.
in the case of a software install the user has to confirm their email address
either before being able to install the software or to run the software
edit
you mention this happen on mobile which is strange
could you confirm it happen with a bundle AIR app for mobile?
did you try on Android to remove the air prefix too?
Copy link to clipboard
Copied
Hey rik,
can you share how you are tracing network calls on Android or iOS built with Adobe Air? I am trying to connect the Android Studio Profiler but it always reports "no debuggable processes" which I assume is because Air does not support Android Studio debugging. Do you have a better way of analyzing the network calls?
Kind regards
Copy link to clipboard
Copied
Hey rewb0rn​,
Sorry for the late reply, we use Charles web proxy (https://www.charlesproxy.com/ ). We run it on a pc/mac, then connect to it via wi-fi, then we can snoop all the network traffic. There we can see the call to https://airdownload2.adobe.com being made on app start.
Thanks and cheers
Copy link to clipboard
Copied
Hey zwetan_uk​,
Sorry for the late reply. This happens for mobile apps packaged with a captive AIR runtime. We've seen this with apps with and without the air. prefix.
Thanks and cheers
Copy link to clipboard
Copied
According to Adobe this has been fixed with AIR 31 :D. It took a while, but big thanks for responding and solving the problem Adobe!
Issue tracker: Tracker
Copy link to clipboard
Copied
Hi,
how exactly was this resolved? Is the tracking call removed completely or do we have to deactivate it manually?
Thanks in advance
Copy link to clipboard
Copied
Our QA has tested the latest build of one of our AIR apps for Android and has checked the network traffic, the network call is no longer being made on app start. We did not have to make any changes for this (other than updating to AIR 31).