When Unity starts on Android, it's collecting android_id, can we disable it?

Hi dear Unity,

Recently we had an issue, the 3rd party platform review our Unity game and they found when Unity starts, it’s collecting android_id which is not allowed before user agree with the privacy policy. But we can’t control it, since Unity is collecting the android_id when it starts up.
We tried to manually disable Unity Connect Settings with the UnityConnectingSettings.asset file, to change the UnityConnectSettings m_Enabled value to 0. And when Unity starts it will not collect the android_id.

I’m wondering if there is proper way to stop Unity collecting android_id when it starts up.

Your approach is correct, you can confirm using Charles Proxy. You can also disable all services in the Services window, or do it via scripting https://docs.unity3d.com/ScriptReference/Analytics.Analytics-enabled.html .

With the link you posted it doesn’t work, I already tried it.

What I mean is there anyway we can disable the whole Unity Services through code, because Unity analytics enabled is only disable Unity analytics, but there is still something trying to collect android_id. So we can only manually disable UnityConnectSettings service through the .asset file?

I think the problem is that Unity is reading it anyway, even if it doesn’t transmit it.

Yeah, exactly.

I just want to prevent Unity to read it. So there will no rejection on the 3rd party Android platform when they review the build we submit.

I’m not sure what you mean by “read it but not send it”. Google is only concerned about data that is collected and sent over the wire. There is no privacy concern if nothing leaves your phone. If services are not enabled, we would not be sending any data. To confirm, use Charles Proxy to see what data may be collected. Examine the capture to confirm. If you are not sure, please send me the .chls file in a private message and I will take a look https://support.unity.com/hc/en-us/articles/115002917683-Using-Charles-Proxy-with-Unity

What I mean is Unity is accessing android_id when Unity game is running on Android device. The privacy concern is not from Google. It’s from Chinese platform such as Huawei, Xiaomi. Charles Proxy can’t see the data which is not be sent through API. I already sent you .chls file in another thread.

Sorry, “reading but not sending” is not a thing. There isn’t such a concept. “Who” is reading it? Let’s say it’s a Chinese store. How do they know that it is occurring if it’s not sent? Your Charles capture did not contain the android_id. If you are concerned that it is being sent, then disable all services. Again, there is no concept of “reading but not sending”. If the store is aware of some sort of access to the android_id, then “something” alerted them to this fact. If it’s not being sent via HTTP and not visible in Charles Proxy, then another communication option would be via sockets. This could be viewed by using WireShark.

Here is one possibility. There is the chance that the store review is inspecting your binary, decompiling and finding code that perhaps does “read” certain phone attributes, but is not actually used or executed at runtime. So no data is actually being sent over the wire during game play. But the store might be concerned that later, you as the developer, can remotely enable that code and start sending the data. This could either be from unintentional legacy Unity code that perhaps we have missed, or from an imported asset. Unless that code is remotely enabled, there is no collection of data.

Well, they could also run it on a custom\injected java runtime or android lib to detect if certain fields \ API is called as an automated test. So are you confirming that the setting means Unity makes no API call to android_id with that setting off?

What setting are you referring to? Please provide your Charles capture to rule out anything sent over the wire (most likely).

Jumping in here to say we’re looking for a solution for this too. There are submission tools that seemingly detect any programmatic access – not transmission – of the Android ID, and you fail submission if this occurs prior to the user accepting a privacy policy.

Same here.
We are failing a review at Chinese Huawei due to Android ID being read by the binary before the user accepts the privacy policy. This is determined by a machine review so I expect they are running the binary through some sort of testing runtime / environment.
We have programmatically delayed initialization of Unity Services (UnityServices.InitializeAsync():wink: until after the privacy policy acceptance, but it seems something in the Unity Runtime “reads” the Android ID on it’s own. This causes us to fail the review and we cannot release the app in China. Please advise. How can we disable Unity reading (not sending!) the Android ID?

To add to my previous post, the Huawei team claims that our app reads the Android ID through the following call stack:

com.unity3d.player.UnityPlayer.nativeRender(Native Method),
com.unity3d.player.UnityPlayer.-$Nest$mnativeRender(Unknown Source:0),
com.unity3d.player.UnityPlayer$C$a.handleMessage(Unknown Source:122),
android.os.Handler.dispatchMessage(Handler.java:105),
android.os.Looper.loop(Looper.java:228),
com.unity3d.player.UnityPlayer$C.run(Unknown Source:24)

We are unable to pass the review on the Huawei AppGallery Connect because of this. Please help!

Unfortunately you can see that Unity’s reply is that “reading but not sending is not a thing”.

The problem actually, is that we, your users, do not trust Unity, and think that you, Unity, might at some point activate the code and start sending precious precious data to Unity.

When platforms see evidence of code wanting to do stuff with Android ID, how can we guarantee nothing is going to ever actually do with Android ID when for all we know your precious “Unity runtime” might have other plans?

We are constantly being asked to write privacy policies for code we don’t have access to and when we the users complain to you about these things over the years, you disregard them and serious privacy issues (like the old analytics checkbox not actually stopping analytics from being sent) is nonchalantly treated like “oh, I guess that was a bug”.

@AcidArrow - thanks for your input. This does sound like a touchy “political-like” problem and there is nothing we as developers can do to rectify it. What is astonishing is that Huawei is the largest app store market in China (which is very fragmented) - it holds over 30% of the market share. I would expect many of the apps available at Huawei to be created using Unity. But it looks like developing for Huawei on Unity is only viable if you have enough business/political power to affect the Huawei review team (which most of us don’t).

Getting screwed over like this at the very end of the publishing process, after putting hundreds of man-hours into getting all the necessary permits… this hurts. It hurts a lot Unity!

To expand on this. I’ve tried to pass the Huawei review after removing the Unity Analytics and Unity Services packages with the same result: Huawei still claims that call to com.unity3d.player.UnityPlayer.nativeRender(Native Method) reads the ANDROID_ID which, according to them, is illegal. And they fail our app.
Because of the above, I expect this to indeed be a Unity Runtime (Android) problem and not specifically a problem with the Analytics SDK.