SDKs pose potential privacy threat to mobile app users

As the mobile app industry continues to grow and develop rapidly, Software Development Kits (SDKs) may pose a threat to mobile users’ privacy. According to SafeDK which tested more than 190,000 free Android apps in the Google Play top charts against 1,000 third-party SDKs, the average Android app uses 17.9 mobile SDKs. Effectively that means consumers are entrusting their data to not just the developers of the apps, but also 18 other platforms.

But lets start at the beginning. Why do developers use SDKs? According to the research, Analytics is the most popular SDK category among app publishers followed by Advertising, Social and Payment SDKs. According to SafeDK, payment-related SDKs are the fastest growing type, with more than 45% of apps now using them.

The average number of SDKs varies with app category. For example, dating, sports and social apps are using roughly 20 SDKs, whilst finance apps are using just 15.6 SDKs. Interestingly, the graph below also shows that overall the number of SDKs has increased across all app categories within just a few months.

Although its natural to assume that more popular apps may have more SDKs, that is not necessarily the case. Indeed, apps with between 100 million to 500 million downloads are using considerably more SDKs (23 on average). However, once an apps reaches the 1 billion mark, the number of installed SDKs drops to half (12 SDKs).

When it comes to privacy, more than 52% of apps have installed at least one SDK that tries to access a user’s location. Another 40% of apps are capable of reading the list of installed apps users have on their devices. One in 10 apps can access microphones and 28% of apps can access a user’s contacts.

Interestingly, not even family-friendly apps are safe from SDKs accessing user data. Although Google encourages app developers to act responsibly and make their apps safe for underage usage, SDKs are still able to access locations, microphones, contacts and the other features via a family-friendly app.

According to the report:

It’s worth noting that apps don’t actively use all the SDKs they’ve integrated. The average number of unused SDKs is at a record low – 5.4 SDKs per app (roughly 30%). So, while the average number of SDKs in apps isn’t significantly growing, it does look like apps are cleaning house and removing unused libraries from their code. This supports our forecast that the average number of SDKs will not decrease.

So who are the leading SDK players? According to SafeDK, Google Play Services has a near 100% presence across apps, followed by Facebook at around the 50% mark. Firebase continues to grow, whilst Unity Ads and Crashlytics remained fairly stable with around 15% each. According to SDK functionality and category leading SDKs vary widely.