Overview › PII Data Flow & Third-Party SDKs
PII Data Flow & Third-Party SDKs
Detailed static-analysis report for pii data flow & third-party sdks.
Executive summary
The app handles a wide surface of personal data (membership IDs, emails, phone, postal addresses, location, biometric credentials, device identifiers) and ships ~38+ third-party SDKs, most of them either analytics/marketing (Adobe Marketing Cloud + Firebase) or commercial vendors (NokNok FIDO2, ThreatMetrix, Mastercard ClickToPay, Contentstack, Lucidworks, OneTrust). Encryption at rest uses AES-256-GCM via Android Keystore — a strong baseline. The privacy work needed is mostly about consent flow integration, data-flow documentation, and tightening WebView + intent surfaces.
PII data-flow map
| Data type | Read / Persisted / Transmitted | Key files |
|---|---|---|
| Membership ID | Read + transmitted to BFF | shared/data/.../SharedMembershipService.kt · feature/account/.../AccountViewModel.kt · shared/statemanagement/.../digitalcard/ShowDataReducer.kt |
| Extracted from JWT, persisted to DataStore | shared/auth/.../AuthenticatorUtilImpl.kt (lines 83-88: setUserEmail) · shared/storage/.../DataStorePrefManagerImpl.kt | |
| Phone | User input → BFF | feature/warehouse/.../CookiePhoneNumberComponent.kt · core/model/.../WarehouseOrderRequest.kt |
| Address / postal code | Persisted (DataStore) + sent | shared/storage/.../DataStorePrefManagerImpl.kt (setDeliveryZipCode) · shared/sdui/.../AddressComponent.kt |
| Location (lat/lng) | Cached on device + used in geofence | shared/storage/.../DataStorePrefManagerImpl.kt (lastLocationLat/Lng) · shared/geofence/.../GeofenceMakerImpl.kt |
| Biometric / passkey | Hardware-backed; never leaves device | Costco/.../BiometricUtilImpl.java · shared/auth/.../AuthenticatorUtilImpl.kt |
| Device IDs | Read for analytics | Costco/.../MainActivity.java · feature/account/.../AccountViewModel.kt |
| Auth tokens | Encrypted at rest (AES-256-GCM) | shared/storage/.../KeyStoreManagerImpl.kt (lines 16-85) |
PASS
Token encryption via AndroidKeyStore
KeyStoreManagerImpl.kt uses AndroidKeyStore with AES-256-GCM (KeyProperties.PURPOSE_ENCRYPT | PURPOSE_DECRYPT) — the recommended pattern.HIGH
Email persisted in plain DataStore
User email is extracted from the JWT and stored in DataStore (
setUserEmail) without explicit encryption. While DataStore on internal storage is protected by app-sandbox, root or backup-extraction risks remain.Recommendation: Wrap email reads/writes in the same KeyStoreManager AES-GCM helper used for tokens. Or encrypt the entire DataStore via Jetpack Security
EncryptedFile.MEDIUM
Lat/Lng cached on device
Last known coordinates persisted in DataStore. Sensitive if the device is recovered.
Recommendation: Either encrypt or hash to a coarse cell (e.g. round to 0.01 degrees) before persisting.
Third-party SDK inventory
~38 distinct vendors. Below organized by purpose; full version table follows.
| Category | SDKs |
|---|---|
| Analytics & Marketing | Firebase Analytics, Firebase Crashlytics, Firebase Performance, Adobe Analytics, Adobe Target, Adobe Campaign, Adobe Signal, Adobe Lifecycle, Adobe Assurance, Google Play Analytics |
| Push & Messaging | Firebase Cloud Messaging, Adobe Messaging, Adobe User Profile |
| Auth & Security | NokNok FIDO2 / Passkey 9.2.0-697, ThreatMetrix 7.7-71, BouncyCastle 1.70, Nimbus JOSE+JWT 10.8 |
| Search & Content | Lucidworks (custom), Contentstack 4.0.0, Google Maps + Maps Compose |
| Payments | Mastercard ClickToPay (in feature/dmc) |
| Consent | OneTrust (cdn.cookielaw.org, in network_security_config) |
| Networking | OkHttp 5.3.2, Retrofit 3.0.0, Volley 1.2.1, Chucker 3.5.2 (debug) |
| Persistence | Room 2.8.4, DBFlow 4.2.4, DataStore 1.2.0 |
| Image / Media | Coil 2.7.0, Glide 5.0.5, ExoPlayer 1.9.2, Lottie 6.7.1 |
| ML / Barcode | ML Kit Barcode 17.3.0, ML Kit Text Recognition 16.0.1, ZXing Core 3.5.4 |
| UI / Compose | Compose BOM 2026.02.01, Material3 1.4.0, Accompanist, Navigation Compose, Hilt Navigation, Camera 1.5.3 |
| DI / Logging / Build | Hilt 2.56, Timber 5.0.1, SLF4J + Logback, Spotless, Dokka, Shot |
HIGH
11 Adobe Marketing Cloud modules
A single Adobe BOM (3.17.0) but 11 individual modules pulled in. Each adds startup work + APK weight + analytics surface.
Recommendation: Audit which modules are actually used by analytics events fired from production code. Remove unused modules.
HIGH
Consent integration with OneTrust
OneTrust appears in the network security config but the consent state's effect on Firebase Consent Mode v2 / Adobe is not visible in this static review.
Recommendation: Audit that all analytics calls respect the user's consent state. Use Firebase Consent Mode v2 + Adobe consent flags. Verify denied-consent path leaves Crashlytics enabled but Analytics disabled.
MEDIUM
ThreatMetrix device fingerprinting
Strong fraud-protection signal but also a high-PII-cost SDK. Must be in the privacy disclosure.
Recommendation: Confirm the privacy policy lists ThreatMetrix; document the data minimization profile in use.
INFO
Recommended: SDK manifest
A single doc (or in-app screen) listing every SDK + purpose + privacy link, refreshed each release.
Recommendation: Generate the list from
libs.versions.toml as part of the build; render to a third-party-licenses.md + an in-app "Open Source Notices" screen.Costco Android · Code Review Report · Generated 2026-05-07 · 626 machine-curated findings