Possible false positive for AdMob when only com.google.gms:google-services are required

[ignisf]

Hi,

I noticed that the brand new Pixelfed client (com.pixelfed https://github.com/pixelfed/pixelfed-rn/tree/main/android ) gets flagged as having a tracker ( https://reports.exodus-privacy.eu.org/en/reports/548417/#trackers ).

I sprinkled some debugging in the standalone exodus version and ran it locally on the APK, it pointed out this:

DEBUG:root:Google AdMob tracker detected in com/google/ads/interactivemedia/v3/api/AdErrorEvent

Does this look like a false positive to you? Maybe this class is a dependency of google-services and it gets detected without the app actually having ads?

[codeurimpulsif]

Hi @ignisf and thanks for this issue.

Looking at it and it seems to be a class added by some dependency like google-services you're right.

It's flag by the detection rule Google AdMob with com.google.ads..

I don't think it's a false positive, as we explain here:
"Our static detection method looks in applications for the presence of a defined list of trackers […] This is not a proof of activity of these trackers."

Looking at the Pixelfed-rn code it seems to never be initialized or called, so this AdMob tracker is "present" in the app but not "activate".

We keep looking for good ways to inform about that (the fact that "present" doesn't mean "active") but it's not easy (also because we're only a very small team without lot of time).

I also ping @pnu-s and maybe @U039b for good advices on how to remove this kind of classes embeded by dependencies?

[ignisf]

@codeurimpulsif, thank you for your time and your kind and detailed response! I see that this is indeed expected, so please feel free to close the issue.