Not GDPR compliant

[danielytics]

This was mentioned in #31. The issue was closed, but it still stands.

The Telegram Analytics SDK makes bold claims about GDPR that don't hold up. From the README:

It tracks app launches, TON Connect interactions, and GDPR-compliant events in an anonymous format.

However, this is blatantly incorrect. The Telegram User ID is being collected, which is a form of Personally Identifiable Information (PII).

This is NOT GDPR compliant.

[danielytics]

A fix would be something like this:

/**
 * Creates a SHA-256 hash from an input string.
 * @param input The string to hash.
 * @returns A promise that resolves to the hash as an ArrayBuffer.
 */
export async function sha256(input: string): Promise<ArrayBuffer> {
    const encoder = new TextEncoder();
    const data = encoder.encode(input);
    return await crypto.subtle.digest('SHA-256', data);
}

/**
 * Generates a safe integer from a number by hashing it and "folding" the
 * 256-bit result into a single 32-bit value using XOR. This method uses
 * information from the entire hash.
 *
 * @param input The number to hash.
 * @returns A promise that resolves to a 32-bit integer number.
 */
export async function sha256number(input: number): Promise<number> {
    // 1. Get the 32-byte (256-bit) hash buffer
    const hashBuffer = await sha256(String(input));
    const view = new DataView(hashBuffer);

    // 2. Initialize a 32-bit integer to hold the folded result.
    let foldedResult = 0;

    // 3. A SHA-256 hash is 32 bytes long. We read it in 4-byte (32-bit) chunks.
    //    So, we will loop 32 / 4 = 8 times.
    const numChunks = hashBuffer.byteLength / 4;
    for (let i = 0; i < numChunks; i++) {
        // Read the next 32-bit chunk. The offset is i * 4 bytes.
        const chunk = view.getUint32(i * 4, false);
        // Fold the chunk into the result using the XOR operator.
        foldedResult ^= chunk;
    }

    // 4. The result is a 32-bit number, which is guaranteed to be a safe integer.
    return foldedResult;
}

And then updating the SessionController:

export class SessionController {
    private sessionId: string;
    private userId: number;
    private platform: string;
    private webAppStartParam: string;
    private userLocale: string;
    private isPremium: boolean;

    private appModule: App;

    constructor(app: App) {
        this.appModule = app;
    }

    public async init() {
        const lp = retrieveLaunchParams();
        const initData = lp.initData;
        const user = lp.initData?.user;
        if (!user) {
            throwError(Errors.USER_DATA_IS_NOT_PROVIDED);
        }

        // Create secure hash of user ID to avoid PII
        this.userId = await sha256number(user.id);
        this.isPremium = Boolean(user.isPremium);
        this.userLocale = user.languageCode;
        this.webAppStartParam = initData.startParam;
        this.platform = lp.platform;
        this.sessionId = generateUUID(String(this.getUserId()));
    }

    public getSessionId() {
        return this.sessionId;
    }

    public getUserId() {
        return this.userId;
    }

    public getWebAppStartParam() {
        return this.webAppStartParam;
    }

    public getPlatform() {
        return this.platform;
    }

    public getUserLocale() {
        return this.userLocale;
    }

    public getUserIsPremium() {
        return this.isPremium;
    }

    public assembleEventSession() {
        return {
            session_id: this.getSessionId(),
            user_id: this.getUserId(),
            app_name: this.appModule.getAppName(),
            is_premium: this.getUserIsPremium(),
            platform: this.getPlatform(),
            locale: this.getUserLocale(),
            start_param: this.getWebAppStartParam(),
            client_timestamp: String(Date.now()),
        };
    }
}

I also removed the other user data such as the users name, so that it doesn't accidentally get leaked. It wasn't used anywhere anyway.

[alpinskiy]

thanks, we are looking into it

[danielytics]

Wow... 4 months to get a response on such a critical issue, and 10 months from the original report. I honestly believe this library is a scam or malware at this stage.

[danielytics]

Over half a year after opening this issue. Not only that, they've added device fingerprinting in the meantime, without addressing any of the legal concerns.

This repository should be considered malware.