For many app publishers, the General Data Protection Regulation (GDPR) was an opportunity to examine each of their many SDK integrations and ask, “Does it spark joy?”
The answer, in many cases, was no: It sparks the potential for data leakage and compliance headaches.
In 2018, the number of unused SDKs – those that a publisher integrated but stopped using and never actually removed – dropped by 1.2, according to a SafeDK report released Monday that analyzes 190,000 top-charting apps in the Google Play store.
At the same time, the total number of SDK integrations held steady at an average of 18.
Put another way, publishers are working with more SDKs overall while also getting rid of “legacy SDKs that might have just been sitting there for ages not being called,” said Ronnie Sternberg, chief business officer and co-founder of SafeDK, an SDK management platform.
Even if an SDK is simply sitting within an app unused, the code could pose a silent security risk if it’s accessing data without the proper permissions.
App publishers use SDKs for a variety of wholly legit reasons, of course, including crash reporting, payments, advertising and attribution analytics. “But if you’re an app publisher, you’re accountable for all of the SDKs in your app,” Sternberg said.
That gives publishers a good reason to declutter their stacks, but it’s a task that often doesn’t make it very high on the to-do list unless a compliance challenge like GDPR looms on the horizon.
“It’s not difficult to clean up unused SDKs, but it’s also not a high priority for a lot of developers, because it’s more important to them to update their game than think about something like GDPR and how SDKs could make them vulnerable,” said Sagi Schliesser, CEO and founder of Israeli game studio TabTale.
TabTale is a fairly large company with roughly 250 employees spread across Tel Aviv, China and Eastern Europe, around 70 million monthly active users and the resources to tackle GDPR compliance. “Legal budgets increased twentyfold,” Schliesser said, only half joking.
But regardless of their size, developers must take precautions to protect themselves – and they are, Sternberg said.
In the months leading up to May 2018, which is when GDPR became the privacy law of the land across Europe, SafeDK, which helps app publishers monitor and manage their SDK partnerships, noticed a slowdown in SDK integrations while parties up and down the supply chain endeavored to get their ducks in a row.
“Developers are asking their SDKs what information they’re accessing and for what purpose,” Sternberg said. “If an SDK wants access to location or private user data, publishers are now asking why. They weren’t necessarily asking before and maybe didn’t even know to ask.”
But regardless of the obligation to comply with regulations, app publishers also have a moral obligation of sorts not to partner with less-than-savory third parties – despite the temptations.
Audiomack, a free, youth-focused music streaming app with 1.5 million daily active users, hundreds of thousands of whom are based in Europe, is regularly approached by companies with shady-sounding requests.
“They ask us to put SDKs in our app that track location in the background or ping beacons ... they offer us a significant amount of money to do it – and we always turn them down,” said Dave Macli, Audiomack’s founder and a pre-Google DoubleClick vet. “But you also have to be careful with some of the ad networks that might try to track your users and not even tell you.”
People will willingly opt in to share location or other data points, however, if they are told why it’s wanted. The reasoning makes sense – and the data isn’t used for anything else. Audiomack asks its users to share location so they can see popular music in their area, and only 13% of users decline.
Most apps (58.6%) have at least one SDK accessing location-related information, unexpectedly up a smidge from 56% at the end of 2017 before GDPR went into effect, according to SafeDK’s research.
“It was definitely surprising to see that,” Sternberg said. “But, on the other hand, publishers are trying to give their users a tailored experience, and a lot of the time that has to do with location."