I've recently set up Firebase Analytics with my website. I was beginning to add some events to be logged and realized any arbitrary event could artificially be called. I could just go into my browser's console and run the command firebase.analytics().logEvent('some_fake_event').
If you know a website is using firebase analytics, what's to stop you from simply spamming fake events into your console? The website owner's analytics would become fairly screwed up. Also, firebase mentions that there's a 500 event-type limit. One could also run firebase.analytics().logEvent('fake_event_1'), firebase.analytics().logEvent('fake_event_2'), etc. Oops, the website owner can't create any more new (legitimate) event types.
What is in place to prevent this?
The logEvent method will be available once you rely on standard firebase SDK. The only way to prevent this would be to obfuscate the library you're using.
Related
We have a web app that users log into using Firebase Auth. According to our the authentication section of our firebase console, we have 690 user that have created accounts, and we believe that is correct.
According to our Firebase Analytics console, we have 2,100 new users in the past 90 days. I think I understand that Firebase Analytics tracks users with a device ID (?). So, if this were a iOS app, an uninstall and install would trigger a a new user counted in analytics. But, how does this work on a web app? Cookie? Some kind of browser id? A session?
So, I think if we want to track unique users accurately, we would use the set the user id, with this:
https://firebase.google.com/docs/reference/js/firebase.analytics.Analytics#setuserid
Which according to the docs linked above, 'Use gtag 'config' command to set 'user_id'. So it does this: https://developers.google.com/analytics/devguides/collection/gtagjs/cookies-user-id#set_user_id
Which allows the users to be tracked across sessions. Therefore, users should not double count.
Notice that the setUserId section in the firebase analytics docs does not have a web section (although the setUserID function does exist in the javascript sdk as shown tow links above) https://firebase.google.com/docs/analytics/userid
So... would it then work to get the user id (uid) when they log in (https://firebase.google.com/docs/reference/js/firebase.User). And then use the setUserId method to set the id?
It's unclear because the documentation does not seem to be in one source. I am just trying to put it all together
You are correct that you can use the setUserId API (across iOS, web and Android) in order to identify the same user across platforms. Note that you'll need to:
Set the default reporting identity to "By User-ID then Device" in the Reporting settings for Google Analytics in the Firebase console (see attached screenshot and docs for more info).
Make sure you are following the Privacy Policy when using the User ID.
I'd like for my app to add/delete/update events on a user's Google Calendar. The app only needs to delete and update events that the app itself has added.
Have I understood it correctly, that in order for this to work, the users have to give the app full access to their Google Calendars, meaning that the app could potentially read and delete private events on any calendar?
Or, is there a way to limit the access that a user gives to the app, for example, allowing the app to create a single calendar and only giving it access to events on that one calendar?
I've read through the relevant Google Calendar API, and I'm not seeing that this is possible. However, giving full access seems crazy and unnecessary!
It seems that this isn't possible. Google, why!?
What I ended up doing was skipping the API and using a calendar subscription. Limited use since the user needs to be able to set up a subscription and, especially, because Google takes up to a day to update subscribed calendars.
It is known that users must explicitly consent the use of tracking tools like Google Analytics, Firebase etc. by the app, I am wondering if it possible to track dropouts on the first screen since as I understand analytics tracking can only be activated once the user allowed this when starting the app for the first time. I would like to know if there are users that exited the app on the first screen before consenting the tracking and decided to uninstall the app after that.
Google Analytics for Firebase provides an API for disabling Analytics collection temporarily before getting a user consent
setAnalyticsCollectionEnabled(true);
You can log this as a event with int parameters 0 and 1 (or any other way you may want). Basically giving you the control and visibility of what you are looking for here.
I need to test some things with a Google Analytics View, but the default demo account that Google offers does not allow user to use the Analytics Reporting API :
You cannot use the demo account with the Analytics Reporting API. Attempts to do so result in a permissions error: (403) insufficientPermissions.
Source
I just need to replicate a view with different data already.
Thanks for helping.
You cannot replicate views with data. A view will always start empty.
However you can simply register a Google Analytics account and send lots of bogus data (either by setting up a web page with tracking code and call it repeatedly, or set a cron job to fire call via the measurement protocol) (this will happen in realtime, so you need to wait a few days before you have enough useable data. There is not way to bulk-create hits for a longer timeframe).
If you just want to test the API it probably matter that much what data you use, so a mock account should work just fine.
I am a developer of Codiva - java ide and online compiler. I am working on improving offline support, reducing network usage, reducing the latency by pre-caching as much as possible.
I want to know how to handle requests to google analytics.
First is the ga script. I use google tag manager to setup GA. Is it okay to cache that request, that is, can I use networkFirst strategy for this request? Or should it always be networkOnly?
How to make sure the actions that happened offline gets tracked correctly?
I am planning to start using Firebase for some featuers, firebase also has some kind of analytics. Would it automatically handle analytics when the device goes offline?
Use the Service Worker helper for Google Analytics:
https://developers.google.com/web/updates/2016/07/offline-google-analytics?hl=en
Try PWA Template https://github.com/StartPolymer/progressive-web-app-template
First is the ga script. I use google tag manager to setup GA. Is it okay to cache that request, that is, can I use networkFirst strategy for this request? Or should it always be networkOnly?
I'm not sure it's wise to cache the GTM script. The analytics.js script is relatively static, but the GTM script can be updated by anyone who has access to your GTM account. Changes made in there obviously wouldn't get propagated to users of the cached version of the script.
How to make sure the actions that happened offline gets tracked correctly?
The key is to use the qt parameter, which allows you to send a hit after the fact, and specify its time offset.
There's an unofficial service worker script that does this today that you should take a look at. It will probably become officially supported sometime soon:
https://gist.github.com/jeffposnick/466ef7578c4c880a78c7270e6ac69620
I am planning to start using Firebase for some featuers, firebase also has some kind of analytics. Would it automatically handle analytics when the device goes offline?
At this point Firebase analytics is mobile-only. If you're using their web SDK, I don't think you get any analytics at this point.