Highlighted

Prevent network call on app start to https://airdownload2.adobe.com (violates GDPR law)

Explorer ,
Apr 11, 2018

Copy link to clipboard

Copied

Hey Folks,

I work at a publisher for mobile games, we have some AIR games in our portfolio and need to make sure that all our apps comply with the new european GDPR law and accompanying Google and Apple software policies. This means that mobile apps cannot make ANY network calls without first informing the user why they are needed and we need to ask for explicit permission first. However, whenever we start one of our AIR apps on a mobile device it automatically makes a network call to https://airdownload2.adobe.com. Can anyone tell me what this call is for and how we can disable it? If we cannot disable it then we may have to pull all our AIR apps from Google Play and the iOS app store since cannot risk any lawsuits, so an answer would be much appreciated.

Thanks!

According to Adobe this has been fixed with AIR 31 :D. It took a while, but big thanks for responding and solving the problem Adobe!

Issue tracker: Tracker

TOPICS
Development

Views

1.5K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

Prevent network call on app start to https://airdownload2.adobe.com (violates GDPR law)

Explorer ,
Apr 11, 2018

Copy link to clipboard

Copied

Hey Folks,

I work at a publisher for mobile games, we have some AIR games in our portfolio and need to make sure that all our apps comply with the new european GDPR law and accompanying Google and Apple software policies. This means that mobile apps cannot make ANY network calls without first informing the user why they are needed and we need to ask for explicit permission first. However, whenever we start one of our AIR apps on a mobile device it automatically makes a network call to https://airdownload2.adobe.com. Can anyone tell me what this call is for and how we can disable it? If we cannot disable it then we may have to pull all our AIR apps from Google Play and the iOS app store since cannot risk any lawsuits, so an answer would be much appreciated.

Thanks!

According to Adobe this has been fixed with AIR 31 :D. It took a while, but big thanks for responding and solving the problem Adobe!

Issue tracker: Tracker

TOPICS
Development

Views

1.5K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Apr 11, 2018 0
Advocate ,
Apr 11, 2018

Copy link to clipboard

Copied

Hey, as many others we are also currently preparing for the new rules. Can you link a source where it says you can not have any network calls before approval of the users? Also, our understanding currently is that it would be sufficient to link the terms of service in the app description to state that using the app requires consent with those.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 11, 2018 0
Explorer ,
Apr 12, 2018

Copy link to clipboard

Copied

There's the GDPR rules as set by the European union which do make an exception for collection of data for "legitimate interests", such as data that has to be sent for the proper operation of the app/software, however the definition of "legitimate interests" is very murky. The only case I could find where "legitimate interest" was judged to be the case was a German government agency that was logging ip's in order to prevent fraud with unemployment benefits. Our legal department has weighed the risks and we've chosen not to take any risks in this regard, gambling on network calls used essentially for analytics being counted as "legitimate interest" is not something we want to do. Also, there have even been lawsuits that have set a legal precedent for dynamic ip adresses being counted as "personal information", which means any network call can be seen as collection of personal information (collection, not necessarily storage, the legal distinction for this is also vague though)*. Hypothetically though, even if this network call would fall under "legitimate interests", the user would still have to be informed of it before it is made and have a chance to opt-out.

Additionally, in response to the GDPR law Google created their own software policies, these are even more strict and explicit than the GDPR law. The information is unfortunately spread out over multiple blog posts, articles and announcements, you can find most of the information here:

Google Online Security Blog: Additional protections by Safe Browsing for Android users

Unwanted Software Policy | Google – Google

Privacy, Security, and Deception - Developer Policy Center

Android will flag snooping apps that don’t warn users

What it boils down to is that you cannot collect ANY information or make any network calls before informing the user and asking for consent. Our legal department has evaluated the situation and we are now making sure that all of our apps don't make any network calls whatsoever before a popup is shown to the user and consent is given.

*There is a sound reason for this: if a company collects data while you are browsing "anonymously" and they link that data to your ip, then later if you log in to one of their services with the same ip you identify yourself and they can link your "anonymous" data to your logged in identity. This is why even a dynamic ip is seen as personal information and logging it without prior warning and consent is illegal. Ofcourse there is a difference between websites and apps, websites cannot work at all without you making a request and them knowing your ip (so they can receive the ip address but not log it or store it), apps however should not need to make any network calls for them to be able to start.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 12, 2018 2
Explorer ,
Apr 17, 2018

Copy link to clipboard

Copied

Bump. This needs to be cleared up before 25 May 2018 when the GDPR law is enforced. If Adobe does not respond to this we as a publisher may be forced to delete all our AIR apps from the Google Play and Apple App Store so that we do not risk lawsuits and damage to our reputation both with Google/Apple and towards our customers (we do not want any of our apps flagged for privacy violations).

This requires an official response from Adobe and appropriate action. If this issue is not addressed then we as a publisher, our developers and many other AIR developers will be directly affected and may incurr significant losses in our business and income. If this is the case then I expect people will hold Adobe accountable. A response from Adobe would be prudent, if there is any way to escalate this message so that we can get an official response that would be much appreciated.

I've also created a bug tracker here: Tracker

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 17, 2018 2
Explorer ,
May 04, 2018

Copy link to clipboard

Copied

This actuall does seem like a perfect case of legitimate interests. It's the only way to make the app work properly. Without this the app couldn't work at all.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
May 04, 2018 0
Explorer ,
May 04, 2018

Copy link to clipboard

Copied

@Swyze: Do you know what this network call is used for?

If it's for updates, apps published with a captive AIR runtime do not need updates to work properly. They also work perfectly fine offline without the need for any network calls.

If the call is for analytics, that's not a legitimate interest, that's exactly and explicitly what the GDPR and Google/Apple software policies intend to prevent.

I don't agree these would be cases for legitimate interests unfortunately.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
May 04, 2018 0
Enthusiast ,
May 10, 2018

Copy link to clipboard

Copied

a network call "as is" does not fall under GDPR
eg. https://airdownload2.adobe.com

without query parameters in a GET request
or body data in a POST request
does not transfer user data to an adobe server

unless PII are passed to the URL call there is no need to worry about GDPR

have a look at

Adobe Analytics and General Data Protection Regulation (GDPR)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
May 10, 2018 0
Explorer ,
May 11, 2018

Copy link to clipboard

Copied

Hey zwetan_uk​, thanks for the feedback.

Any network call identifies the user to the receiver. If the ip is logged then that is data collection. There have been court cases about this, even dynamic ip's have been ruled to be "personal information", so they cannot be collected. At this point we have no idea what the call is being made for so we also don't know if ip's are being logged.

Unfortunately we don't just have to contend with the GDPR, there's also Google and Apple's own software policies, which are even more explicit and restrictive (see the links in my earlier post). Google will label apps as violating user's privacy if they don't first show a consent popup, which will also negatively affect their search rankings and make them ineligible for a feature.

What's frustrating is that we don't know what this call is being made for at all: analytics, updates or whatever it may be. Developers have no choice to opt-in/out. We never requested or enabled analytics by Adobe, also we don't have access to the data so we have no idea what is being collected.

If the call is being made for Analytics, as the link you provided implies, then that is actually a problem.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
May 11, 2018 0
Enthusiast ,
May 11, 2018

Copy link to clipboard

Copied

I'm not gonna go too much in depth about it and I'm not a lawyer

yes, an IP address is considered as personal information (or personal data)

and GDPR is clear: no personal data without consent


but when your AIR app initialise a connection to Adobe server

you as a software provider you do not either collect or process the data

if any data was sent during this network call

Adobe on the other end is to be considered as a data collector (controller)

they are the one who stores the IP address on their server logs

and technically they may not store the full IP address
for example (like with google analytics) you can anonymize an IP address

by removing the last 2 bytes

eg. 192.168.1.1 (full)
vs   192.168.0.0 (last 2 bytes removed and so anonymized)

For other things Adobe is also to be considered a data processor
and they cover it with great extend on their privacy pages


see
Adobe Privacy Policy

Desktop App Usage Information FAQ

EU-U.S. Privacy Shield/European data transfers

General data protection regulation, GDPR | Adobe Privacy Center

but more importantly, you have the right to store the IP address on a server log

as long as it is used for the security of the system

see

https://www.ctrl.blog/entry/gdpr-web-server-logs

Legal basis for collecting and storing logs without consent

You can’t collect and store any personal data without having obtained, and being able to document that you obtained, consent from the persons you’re collecting data from. You can, however, collect and store personal data as part of web servers logs for the purposes of detecting and preventing fraud and unauthorized access and maintaining the security of your systems.

but again it is not your server collecting the data

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
May 11, 2018 0
Explorer ,
May 11, 2018

Copy link to clipboard

Copied

Hey zwetan_uk​,

Appreciate your arguments . Unfortunately Google is very clear about this, no matter which SDK's, libraries or tools you include in your app, only you as the app's developer will be held responsible for the behaviour of the app. In this case that includes passing data to a "data processor", which appears to be exactly what these policies intend to prevent. That's why we're so strict on this.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
May 11, 2018 0
Enthusiast ,
May 11, 2018

Copy link to clipboard

Copied

it would be nice to have more details where it does happen,
my guess is with an .air installed on the desktop

couple of possible solutions

publish a captive runtime / bundle
which you need to build a custom installer anyway
in the custom installer define an EULA
where you inform the user of what personal data is tracked/collected/stored/etc.
and the user HAS TO consent to install

if you absolutely need to publish an .air
then at the download screen inform the user

that by installing this software this and that personal data

will be collected/stored/etc.

clicking the download link is imho not enough to express consent

so you should do the double opt-in

see GDPR Email Consent - Double Opt-in / Soft opt-in Explained - Mailjet

Double opt-in is when individuals need to confirm their email address before being added to your email list and receive email communication from you. It is the double confirmation of their subscription to your newsletter or any services needing their email details. Using double opt-in in email marketing is a good way to ensure compliance regarding consent under GDPR.

in the case of a software install the user has to confirm their email address
either before being able to install the software or to run the software

edit

you mention this happen on mobile which is strange

could you confirm it happen with a bundle AIR app for mobile?
did you try on Android to remove the air prefix too?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
May 11, 2018 0
Advocate ,
May 15, 2018

Copy link to clipboard

Copied

Hey rik,

can you share how you are tracing network calls on Android or iOS built with Adobe Air? I am trying to connect the Android Studio Profiler but it always reports "no debuggable processes" which I assume is because Air does not support Android Studio debugging. Do you have a better way of analyzing the network calls?

Kind regards

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
May 15, 2018 0
Explorer ,
May 29, 2018

Copy link to clipboard

Copied

Hey rewb0rn​,

Sorry for the late reply, we use Charles web proxy (https://www.charlesproxy.com/ ). We run it on a pc/mac, then connect to it via wi-fi, then we can snoop all the network traffic. There we can see the call to https://airdownload2.adobe.com being made on app start.

Thanks and cheers

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
May 29, 2018 0
Explorer ,
May 29, 2018

Copy link to clipboard

Copied

Hey zwetan_uk​,

Sorry for the late reply. This happens for mobile apps packaged with a captive AIR runtime. We've seen this with apps with and without the air. prefix.

Thanks and cheers

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
May 29, 2018 0
Explorer ,
Oct 16, 2018

Copy link to clipboard

Copied

According to Adobe this has been fixed with AIR 31 :D. It took a while, but big thanks for responding and solving the problem Adobe!

Issue tracker: Tracker

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Oct 16, 2018 2
Advocate ,
Oct 16, 2018

Copy link to clipboard

Copied

Hi,

how exactly was this resolved? Is the tracking call removed completely or do we have to deactivate it manually?

Thanks in advance

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Oct 16, 2018 0
Explorer ,
Nov 07, 2018

Copy link to clipboard

Copied

Our QA has tested the latest build of one of our AIR apps for Android and has checked the network traffic, the network call is no longer being made on app start. We did not have to make any changes for this (other than updating to AIR 31).

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Nov 07, 2018 0