green-code-initiative · jduigoudev · May 21, 2025 · May 20, 2025 · May 20, 2025 · May 21, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,7 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 
 ### Changed
-
+- SPRI004: Add rule to avoid use of Tracking Id using TelephonyManager#getDeviceId()
 - The embedded Groovy language analyzer was reconfigured to scan only `.gradle` files since it is the files we are interested in for
   the Android project configuration rules.
   The associated language is named `Groovy (Gradle)` instead of just `Groovy`.

diff --git a/android-plugin/src/main/java/io/ecocode/java/JavaCheckList.java b/android-plugin/src/main/java/io/ecocode/java/JavaCheckList.java
@@ -26,10 +26,11 @@
 import io.ecocode.java.checks.environment.leakage.*;
 import io.ecocode.java.checks.environment.optimized_api.BluetoothLowEnergyRule;
 import io.ecocode.java.checks.environment.optimized_api.FusedLocationRule;
-import io.ecocode.java.checks.environment.power.SaveModeAwarenessRule;
 import io.ecocode.java.checks.environment.power.ChargeAwarenessRule;
+import io.ecocode.java.checks.environment.power.SaveModeAwarenessRule;
 import io.ecocode.java.checks.environment.sobriety.*;
 import io.ecocode.java.checks.social.privacy.GoogleTrackerRule;
+import io.ecocode.java.checks.social.privacy.TrackingIdRule;
 import org.sonar.plugins.java.api.JavaCheck;
 
 import java.util.ArrayList;
@@ -50,9 +51,10 @@ public static List<Class<? extends JavaCheck>> getChecks() {
         return Collections.unmodifiableList(checks);
     }
 
-    public static List<Class<? extends JavaCheck>> getJavaSocialChecks(){
+    public static List<Class<? extends JavaCheck>> getJavaSocialChecks() {
         return Collections.unmodifiableList(Arrays.asList(
-                GoogleTrackerRule.class
+                GoogleTrackerRule.class,
+                TrackingIdRule.class
         ));
     }
 

diff --git a/android-plugin/src/main/java/io/ecocode/java/checks/social/privacy/TrackingIdRule.java b/android-plugin/src/main/java/io/ecocode/java/checks/social/privacy/TrackingIdRule.java
@@ -0,0 +1,48 @@
+/*
+ * ecoCode Android plugin - Provides rules to reduce the environmental footprint of your Android applications
+ * Copyright © 2020 Green Code Initiative (contact@ecocode.io)
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+package io.ecocode.java.checks.social.privacy;
+
+import io.ecocode.java.checks.helpers.SpecificMethodCheck;
+import org.sonar.check.Rule;
+import org.sonarsource.analyzer.commons.annotations.DeprecatedRuleKey;
+
+/**
+ * For some use cases, it might be necessary to get a unique device identifier by a call to TelephonyManager#getDeviceId()
+ * (returns IMEI on GSM, MEID for CDMA).
+ * However, this raises privacy concerns and it is not recommended.
+ * Alternatively, you may use android.provider.Settings.Secure.ANDROID_ID.
+ */
+
+@Rule(key = "EC534")
+@DeprecatedRuleKey(repositoryKey = "ecoCode-java", ruleKey = "SPRI004")
+public class TrackingIdRule extends SpecificMethodCheck {
+
+    private static final String ERROR_MESSAGE = "Avoid using TelephonyManager#getDeviceId() due to privacy concerns.";
+    private static final String METHOD_NAME = "getDeviceId";
+    private static final String METHOD_OWNER_TYPE = "android.telephony.TelephonyManager";
+
+
+    public TrackingIdRule() {
+        super(METHOD_OWNER_TYPE, METHOD_NAME);
+    }
+
+    @Override
+    public String getMessage() {
+        return ERROR_MESSAGE;
+    }
+}
diff --git a/android-plugin/src/main/resources/io/ecocode/android/java/ecocode_java_profile.json b/android-plugin/src/main/resources/io/ecocode/android/java/ecocode_java_profile.json
@@ -33,6 +33,7 @@
     "EC529",
     "EC530",
     "EC531",
-    "EC532"
+    "EC532",
+    "EC534"
   ]
 }
diff --git a/android-plugin/src/main/resources/io/ecocode/rules/java/EC534.html b/android-plugin/src/main/resources/io/ecocode/rules/java/EC534.html
@@ -0,0 +1,18 @@
+<img src="http://www.neomades.com/extern/partage/ecoCode/2sur5_1x.png">
+<p>
+    For some use cases, it might be necessary to get a unique device identifier by a call to <code>TelephonyManager#getDeviceId()</code>
+    (returns IMEI on GSM, MEID for CDMA).
+    However, this raises privacy concerns and it is not recommended.
+    Alternatively, you may use android.provider.Settings.Secure.ANDROID_ID.
+</p>
+<h2>Noncompliant Code Example</h2>
+Use of: TelephonyManager#.getDeviceId()
+<pre>
+    TelephonyManager telephonyManager = (TelephonyManager) getSystemService(Context.TELEPHONY_SERVICE);
+    String deviceId = telephonyManager.getDeviceId()
+</pre>
+Use :
+<pre>
+    android.provider.Settings.Secure.ANDROID_ID
+</pre>
+
diff --git a/android-plugin/src/main/resources/io/ecocode/rules/java/EC534.json b/android-plugin/src/main/resources/io/ecocode/rules/java/EC534.json
@@ -0,0 +1,17 @@
+{
+  "title": "Privacy: Tracking Id",
+  "type": "CODE_SMELL",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "20min"
+  },
+  "tags": [
+    "privacy",
+    "social",
+    "ecocode",
+    "android",
+    "eco-design"
+  ],
+  "defaultSeverity": "Minor"
+}
diff --git a/android-plugin/src/test/files/social/privacy/TrackingIdCheck.java b/android-plugin/src/test/files/social/privacy/TrackingIdCheck.java
@@ -0,0 +1,34 @@
+/*
+ * ecoCode Android plugin - Provides rules to reduce the environmental footprint of your Android applications
+ * Copyright © 2020 Green Code Initiative (contact@ecocode.io)
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+package android.telephony;
+
+import android.content.Context;
+
+public final class TelephonyManager {
+
+    public void test() {
+        TelephonyManager telephonyManager = (TelephonyManager) getSystemService(Context.TELEPHONY_SERVICE);
+        String deviceId = telephonyManager.getDeviceId(); // Noncompliant {{Avoid using TelephonyManager#getDeviceId() due to privacy concerns.}}
+        return deviceId;
+    }
+
+    public String getDeviceId() {
+        return "fake";
+    }
+
+}
diff --git a/android-plugin/src/test/java/io/ecocode/java/JavaRulesDefinitionTest.java b/android-plugin/src/test/java/io/ecocode/java/JavaRulesDefinitionTest.java
@@ -52,6 +52,12 @@ private void assertSocialRuleProperties(Repository repository) {
         assertThat(googleTrackerRule.name()).isEqualTo("Privacy: Google Tracker");
         assertThat(googleTrackerRule.debtRemediationFunction().type()).isEqualTo(Type.CONSTANT_ISSUE);
         assertThat(googleTrackerRule.type()).isEqualTo(RuleType.CODE_SMELL);
+
+        Rule trackIdRule = repository.rule("EC534");
+        assertThat(trackIdRule).isNotNull();
+        assertThat(trackIdRule.name()).isEqualTo("Privacy: Tracking Id");
+        assertThat(trackIdRule.debtRemediationFunction().type()).isEqualTo(Type.CONSTANT_ISSUE);
+        assertThat(trackIdRule.type()).isEqualTo(RuleType.CODE_SMELL);
     }
 
     private void assertEnergyRuleProperties(Repository repository) {

diff --git a/android-plugin/src/test/java/io/ecocode/java/checks/social/privacy/TrackingIdRuleTest.java b/android-plugin/src/test/java/io/ecocode/java/checks/social/privacy/TrackingIdRuleTest.java
@@ -0,0 +1,31 @@
+/*
+ * ecoCode Android plugin - Provides rules to reduce the environmental footprint of your Android applications
+ * Copyright © 2020 Green Code Initiative (contact@ecocode.io)
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+package io.ecocode.java.checks.social.privacy;
+
+import org.junit.Test;
+import org.sonar.java.checks.verifier.CheckVerifier;
+
+public class TrackingIdRuleTest {
+
+    @Test
+    public void verify() {
+        CheckVerifier.newVerifier().onFile("src/test/files/social/privacy/TrackingIdCheck.java")
+                .withCheck(new TrackingIdRule())
+                .verifyIssues();
+    }
+}