How to securily implement Google Analytics on a C# program

I developed a C# WPF application and it's open source. I now want to implement some kind of analytics in order to see how many users use it and how they use it but I have a few problems. I wanted to use google analytics but with the official APIs, it requires identification (a key) in order to use it and by using their endpoints I have to use a monitoring ID. Users could easily read the code or decompile the exe and find the APIs key or the monitoring ID and use it in bad ways. How can I implement Google Analytics and avoid users to grab delicate information?

1 answer

  • answered 2018-02-13 07:54 Eike Pierstorff

    You securely implement the GA reporting APIs in C# the same way you implement it securely everywhere else, by carefully managing permissions.

    Make sure your project has only read access, and set up a GA view that only includes information you want to show to your users. That way even if they intercept the credentials somehow they can do nothing with it that they couldn't do with you app in the first place.

    As for the abuse of the tracking ID, there is no way around this. If somebody feels they want to send wrong data to your account then they can do it, there is no protection against it (in fact most GA spam does not target specific accounts, it just sends noise to randomly generated tracking ids in the proper format). Obfuscating the code would probably not stop anyone from getting the tracker id, since this is part of the network request to GA.

    If you want to be really elaborate you could send the requests to your own server first, then check the payload for plausibility and then send it along to GA, but frankly that's a lot more work than it is worth.