Your Data is Not Safe: Tracking Through SDKs

SDK, Software Development Kit is a collection of software development tools in one installable package. SDK tools includes range of things including: libraries, documentation, code samples, processes, and guides that developers can use and integrate into their own apps. SDKs are designed to be used for specific platforms or programming languages.

We often like to spend our time with the applications installed in our mobile phones or even have official apps installed. However, we are unaware of the in-built code of the apps, which may lead to data breach. Your phone is the ideal tool for advertisers and data brokers, both as a means of collecting your information and serving you ads based on it. This is usually done through software development kits, or SDKs, which these companies provide to app developers for free in exchange for the information they can collect from them, or a cut of the ads they can sell through them. When you turn on location services for a weather app so it can give you a localized forecast, you may be sending your location data back to someone else.
On the time of installing an application, you are required to provide access to mobile phone directory, camera, audio and many others, depending on the app requirements. SDKs themselves are not trackers, but they are the means through which most tracking through mobile apps occurs. Simply put, an SDK is a package of tools that helps an app function in some way.

For instance, if a developer wants to let users sign into an app with their Facebook accounts, they would want Facebook's Login SDK. If their app needs maps or map data, they could use Google's Map SDK. Without SDKs, developers would have to build those things entirely from scratch. That's time-consuming and could be beyond a small developer's abilities or budgets. SDKs may also help apps communicate with third parties through what is called an Application Programming Interface (API). Using the Facebook Login SDK, as an example, helps a developer to build and implement the sign-in feature in their app, while the API allows the app and Facebook to communicate with each other so that the sign-in can happen.

"If I'm a startup, I'm bootstrapping an app really quickly, I need to make something fast. I just bundle a bunch of SDKs in there, compile the app, and ship it off to the App Store", Sean O'Brien, Founder & Executive Director of the Yale Privacy Lab.
"The name of the game for the past dozen years has been to make it as easy as possible for people to develop apps," Norman Sadeh, Director of Carnegie Mellon University's Mobile Commerce Laboratory and e-Supply Chain Management Laboratory

Since the outbreak of COVID-19, even businesses from Ford to Facebook have offered up their services, money, and face mask stashes to try to help. Some companies that deal in your data are stepping up, too, offering their data analysis services to try to track or stop the spread of the virus. With the common usage of apps increasing than earlier, data that's usually supplied by you often without your knowledge or consent, makes other companies richer. Even sharing the location data without knowing, helps the apps to track the user data and report it back to the SDK provider.

An Oxford University study found that nearly a third of all the apps in Play Store were linked to at least 10 third-party SDKs and one in five were sharing user data with as many as 20 SDKs. That figure goes up exponentially on large-scale free apps. For instance, as per MightySignal, a mobile intelligence firm, Tinder is connected to a staggering 51 SDKs, Airbnb has 41, and ESPN has 40. The majority of SDKs collect data you wouldn't normally think is of any significance. They track what you tap inside an app, areas where you spend most of your time, which ads you interact with, and more. But this seemingly harmless practice can be critically detrimental to your privacy when you look at how all that data fits in the broader picture.
The Oxford study also revealed that 88% of the researched apps could beam data to companies that are ultimately owned by Alphabet (Google's parent) and 43% to Facebook-owned services. Companies like Facebook and Google already know a fair bit about you, and by tapping into hundreds of thousands of apps through SDKs, they are able to fine-tune your digital profile in their database and serve you targeted ads.