Firebase: the cost of its free service

We needed deeplink functionally to simplify our registration process. We decided to use Firebase because:

1/ it’s regularly updated

2/ it’s free

3/ it’s simple to use

4/ We actually self manage our Push Notifications system but consider using an external service (and firebase has a lot to offer)

To use it, we simply use the native SDK (iOS & Android) and expose it to our JavaScript code (React-Native).

A few days ago, we decided to audit our main application and I’ve to admit, I didn’t think Google/Firebase would upload so much data!

But hey, if you are not paying you’re the product…

By default, firebase read (only locally ie it is not sending it) :

  • contacts information
  • GPS data
  • Speed

But they also :

  • Read images from the terminal memory and send it to https://app-measurement.com
  • Read the hardware information and send it to https://app-measurement.com
  • Read all the files of your application cache folder and send them to https://app-measurement.com
  • Do http requests on : pagead2.googlesyndication.com, plus.google.com and googleapis.com (shadow profile?)

I tried to include DynamicLinks related stuff only. But in fact, even if you only use Firebase DynamicLinks, you’ve to instantiate FirebaseCore. And what is FirebaseCore? It’s FirebaseAnalytics… And FirebaseAnalytics seems to also use FirebaseInstanceID.

For a moment I wondered if we shouldn’t remove Firebase and use something else.. Maybe something like branch.io is more respectful of my users’ privacy… But after looking at the code and checking this kind of issues on the internet, I finally found something useful:

We can permanently deactivate collection of the analytics: https://firebase.google.com/support/guides/disable-analytics

I’ve to launch another audit to see if some of these issues are still relevant but I’m more confident now.