I am building an app that communicates with my website with ASIHTTPRequest to a PHP-based REST API on the server side.
Naturally, in my app I have different endpoints on the server side, and usually return JSON data.
Is it unethical to log counters on how many times each endpoint was hit?
I'd like to capture how the app was used capturing what endpoint was hit, the user agent, time of day, possibly their IP (to group visits etc).
Should I ask permission to do this?
It should be in your terms and conditions, but you should not have to inform the user. Technically this is the same as traditional HTTP server log files and running statistics against them.
I would however make sure that it's not possible to identify an individual user from the data as that may violate local or international privacy laws. They could opt in for that if they wish.
The only questionable piece of data that you are tracking is IP address. The rest is pretty generic. Any site implementing Google Analytics is tracking pretty much the same thing...without warning.
If you do want to track IP address (or anything else that could make the user personally identifiable), though, you should get permission before doing so.
Nothing wrong with server-side tracking of access to your own site. Just don't spy on what the client might be doing that doesn't concern your site.
There's nothing questionable about logging IP addresses either. They can't be resolved to an individual without aid from law enforcement (or some other way to get their ISP to comply). In fact, they are essential if you're ever hit by an exploit and want to file charges.
