Presence and potential use of Google's Firebase SDK

Radar Covid for Android has declared a dependency on Google’s Firebase SDK for analytics purposes as indicated in the line 198 and 199 of the graddle configuration.

    // Recommended: Add the Firebase SDK for Google Analytics.
    implementation 'com.google.firebase:firebase-analytics-ktx:17.5.0'

The analysis of the .apk available on Google Play on the 8th of September 2020 (md5=ce999f762890d3f9b7911cb700997019) using static analysis corroborates that the SDK is present in the app as can be inferred from the presence of the following package: com/google/firebase/

Unfortunately, as the code is obfuscated in the current release on the Google Play Store, it cannot be concluded: 1) whether the app version published on Google Play is directly compiled from the source code released today; and, as a result, 2) whether the Firebase SDK is actually invoked from the app.

The presence and use of this SDK is not listed in the current Privacy Policy of the app.

In case that this is legacy code from an older version integrating and using the SDK, or simply dead code, it would be recommendable to remove this dependency. If it is indeed used, it would be recommendable to remove it as well due to the potential privacy risks that incorporating a third-party analytics SDK could cause on end users.

This behavior seems to be prevalent in the iOS app, too, as suggested by this issue.