Anomalous User Sessions
Preface: I'm a bit new to Google Analytics so I apologize in advance if I misname things, use confusing terminology, or have done something highly unusual. =)
I just created a new Account and Property for my company's Android app, downloaded the configuration .json file to our app project, and set up basic app integration to track only session creation. Plan was to set things like screen views, button presses, and other interactions today. However, when I got a chance to look at the analytics panel this morning, there were 29 sessions created on Sunday, all with a 0 second session duration, and all of which originated from a Mac running OS 10.10 (which is immediately strange given this is an -android- app). I checked every field I could find on the analytics panel but the only information that was given was the service provider of the session connections, which seem to vary widely but around 1/4 of which seem to come from Japan and China, plus an entry from something that looks like the Department of Defense. (Screenshot Included) We're based out of Seattle and, so far as we know, don't currently rely on any services from overseas.
Has anyone seen anything like this before? I can't think of anything particularly malicious anyone could do with the ability to post data to our analytics panel at this point, especially since it's so new that I'm willing to just delete the entire account and recreate it if a simple token invalidation / recreation isn't sufficient. Still, it's concerning to me that someone managed to gain access when the only known copies of our analytics tokens reside on my dev machine and on a private GitHub with 100% coverage of 2FA on all included users. Is there something I'm missing?
Re: Anomalous User Sessions
Unfortunately, this is quite common. Using the measurement protocol, ANYONE (even me) can send hits to your GA account. It's a MASSIVE flaw in Google Analytics and because only the smaller account holders are massively affected by it, nothing has been done for years. This is common for both mobile and web GA.
This is a massive pain but extremely EXTREMELY common. It's plain and simple spam. The horrible thing is that there's nothing you can do but to filter it out.
Here's a great article on how to do it: http://help.analyticsedge.com/spam-filter/definitive-guide-to-removing-google-analytics-spam/
Don't worry, your 2FA hasn't been compromised and your repo is still private. This is a problem with GA, not you.
You can expect a LOT more of this if you don't proactively filter this out. GA is in fact useless without these filters. You should see how bad it is on a web account.
Sorry to be the bearer of bad news but if you want to use GA, you have to spend the time adding these filters. No matter how much we complain to Google, we've gotten no response to this. There's an entire forum dedicated to this on this community if you want more information.
Anyway, read the link I posted, add the filters (you'll have to continuously add more over time) and you should be good to go.