Search Unity

  1. Unity 2019.2 is now released.
    Dismiss Notice

How to disable Unity analytics?

Discussion in 'Unity Analytics' started by Sarbakan-Support, Nov 27, 2018.

  1. Sarbakan-Support

    Sarbakan-Support

    Joined:
    Aug 27, 2014
    Posts:
    6
    Hi,

    My app is getting rejected by my client because there are calls to https://cdp.cloud.unity3d.com/v1/events and https://config.uca.cloud.unity3d.com/.
    Since we are targeting young children, they are really careful about calls to external servers.
    I disabled Unity HW stats, I disabled the Analytics in the Services menu but I still see those calls in Charles Proxy.
    If I log into the Analytics services on Unity's website I see that it's activated, but it's not on anywhere in my game.
    I am missing something?
    I am using Unity 2018.2 pro by the way.

    It looks like an old problem that was never answered.
    https://answers.unity.com/questions/1514671/how-do-you-disable-unity-analytics-in-unity-pro.html

    Thanks
     
  2. marc_tanenbaum

    marc_tanenbaum

    Unity Technologies

    Joined:
    Oct 22, 2014
    Posts:
    344
    Hi @Sarbakan-Support ,

    In principle, if you have HWStats disabled and no services running (Ads, Analytics, IAP, Performance) no data should be sent to Unity servers. Since you're observing that not to be the case, let's try a couple ideas to investigate:
    • Check your services window to ensure all the services mentioned above are disabled.
    • Check any plugins you're using that might possibly activate any of those services programmatically.
    If neither of those turns up anything, the next step would be to use a tool like Charles Proxy (looks like you may already be using something along that line) and let us see the JSON payload of the calls. That might shed some light on what's going on.

    We're investigating a related issue, so it's also possible that this is related to a legitimate bug, but getting more info might help us establish that fact and/or suggest a workaround.

    Thanks!
     
  3. Sarbakan-Support

    Sarbakan-Support

    Joined:
    Aug 27, 2014
    Posts:
    6
    Thanks @marc_tanenbaum

    I have In App Purchases On, is this what's calling the URL?

    I even received a security warning from them because those sites are using an old protocol.

    Server Supports Insecure TLS 1.0
    Affected Components0 fixed out of 2

    The following SSL/TLS servers accessed by the App at runtime have enabled the TLS 1.0 protocol:

    • NEW
    https://config.uca.cloud.unity3d.com/

    • NEW
    https://cdp.cloud.unity3d.com/

    Description

    TLS 1.0 is a legacy protocol, which has been found to be vulnerable to numerous attacks since it was released.

    Such attacks include the POODLE vulnerability, which was discovered in 2014 by the Google security team, as well as other flaws affecting both on the protocol's key exchange mechanism and on the encryption schemes it supports.

    A summary of most of the vulnerabilities the TLS 1.0 protocol is vulnerable to is available in RFC 7457.

    Most mobile Apps would usually negotiate a stronger version of the protocol (such as TLS 1.2), making this issue difficult to exploit in the context of a an App. However, specific browsers (such as Firefox) accessing the vulnerable endpoints may be exposed through protocol downgrade attacks.

    Lastly, TLS v1.0 is no longer acceptable for PCI compliance due to the vulnerabilities mentioned above (such as POODLE), as stated in Appendix A2 of the PCI DSS Requirements:

    "After June 30, 2018, all entities must have stopped use of SSL/early TLS as a security control, and use only secure versions of the protocol"
     
  4. marc_tanenbaum

    marc_tanenbaum

    Unity Technologies

    Joined:
    Oct 22, 2014
    Posts:
    344
    Yes, use of IAP will definitely cause those events to fire.

    May I ask which version of Unity you're using? TLS has been updated, but only from 2018.2 forward for now. It's not yet clear when we can expect backporting to earlier versions.
     
  5. Sarbakan-Support

    Sarbakan-Support

    Joined:
    Aug 27, 2014
    Posts:
    6
    Hummm yes we are using 2018.1. We are pretty close to the release of our game, so it's kind of scary to update right now. Thanks for the answer, I will check what I can do.
     
  6. marc_tanenbaum

    marc_tanenbaum

    Unity Technologies

    Joined:
    Oct 22, 2014
    Posts:
    344
    @Sarbakan-Support ... one of my engineers has an idea for a possible workaround. We're not entirely sure.

    Would you be willing to open a support ticket? Reference this thread and drop my name in. I'll hook you up with the engineer and let's see if we can get you sorted.
     
    technicat likes this.
  7. Syndran

    Syndran

    Joined:
    Jul 19, 2016
    Posts:
    9
    Was wondering if there is resolution to this yet.
    Unity 2018.3.1f1
    No services enabled
    disable HW statistics checked
    everything possible removed from package manager. only textmeshpro enabled.
    still getting calls to cdp.cloud.unity3d.com/v1/events resulting in application being rejected.
     
  8. JeffDUnity3D

    JeffDUnity3D

    Unity Technologies

    Joined:
    May 2, 2017
    Posts:
    4,874
    Please provide a Charles capture to see what service is sending the events. Also this post should help, you can disable Analytics at runtime with a few lines of code: https://forum.unity.com/threads/upd...emoving-games-from-store.558940/#post-4682123
     
  9. Syndran

    Syndran

    Joined:
    Jul 19, 2016
    Posts:
    9
    Hi, I use a free tool called fiddler instead of charles. very much the same
    Attached is the session archive. readable as ZIP, or change extension to .saz and open in fiddler.

    If i am reading it correctly. the client is
    UnityPlayer/2018.3.1f1 (UnityWebRequest/1.0, libcurl/7.52.0-DEV)
     

    Attached Files:

  10. Syndran

    Syndran

    Joined:
    Jul 19, 2016
    Posts:
    9
    Hi
    went through the provided list of "how to make it work in spite of unity, not because"

    most was already done.
    added the following code to my initial scene.
    Code (CSharp):
    1. private void Awake()
    2.     {
    3.         UnityEngine.Analytics.Analytics.enabled = false;
    4.         UnityEngine.Analytics.Analytics.deviceStatsEnabled = false;
    5.         UnityEngine.Analytics.Analytics.initializeOnStartup = false;
    6.         UnityEngine.Analytics.Analytics.limitUserTracking = false;
    7.         UnityEngine.Analytics.PerformanceReporting.enabled = false;
    8.     }
    on code execution, the following connections were made <attached file>
    with the content of

    {"prefs":{},"analytics":{"enabled":true},"connect":{"limit_user_tracking":false,"player_opted_out":false,"enabled":true},"performance":{"enabled":true}}

    now, when you don't have analytics package in your project, that should be it.. no analytics means NO ANALYTICS!!
     

    Attached Files:

  11. JeffDUnity3D

    JeffDUnity3D

    Unity Technologies

    Joined:
    May 2, 2017
    Posts:
    4,874
    There is no user information sent in the request that you refer to. What am I looking for in the zip file, is this a Charles capture? If you don't have Analytics or any other services in your project, and have disabled HW Stats, you should see no Analytics calls.
     
  12. Syndran

    Syndran

    Joined:
    Jul 19, 2016
    Posts:
    9
    EXACTLY my point.
    please see previous post where I explained this was a fiddler capture, not charles. and how to interact with it.
    You are correct, no user information is sent. however it still makes the connection to the analytics server, even when
    1) analytics package is removed
    2) HW statistics disabled
    3) specific code to disable analytics set to run as soon as possible.

    It does not matter that no information is sent (unity could change this at ANY TIME), it makes the connection, which is enough for google to flag it, and not something you CAN add to a privacy policy when you have no control over content.
     
  13. JeffDUnity3D

    JeffDUnity3D

    Unity Technologies

    Joined:
    May 2, 2017
    Posts:
    4,874
    Did you get rejected by Google over this? I personally have not heard of Google flagging this. They are concerned about privacy, not making general network calls which should be compliant, which is my understanding. Otherwise, you may have a valid point.