A recent iOS scandal demonstrated how invasive a malicious SDK can be, and how much damage it can do to the privacy of the user. This can happen without the user, or even the app developer, knowing or agreeing to it. We don’t use SDK’s and here’s why.
When you build an app, 3rd party SDKs are incredibly attractive. Import a Google library into your project, add a few lines of code, and things just start working. It’s that easy, and the utility is HUGE for the developer. Install Twitter’s Fabric.io and you get an email every time your app crashes on someone’s device with all the details you need to fix it. Throw in Yahoo’s Flurry and see how people use the app in real time, which screens they like, where interest drops off, how and when they use the app, etc. If you’re marketing your app, use Facebook’s developer SDK to be able to track ad clicks all the way through the app store to app install, and even pay only when the app is installed. All of these SDKs are bundled with SaaS platforms that store all the data, do all the processing, and visualize the data to make it instantly actionable.
While Youmi was obviously not a reputable partner, their actions are bringing the behavior of other more reputable SDKs into the spotlight. Since it is now clear that we don’t know exactly what they are doing, it is also clear that we shouldn’t necessarily trust them. Avoiding them makes things extremely difficult for developers. The other options are certainly not as refined. ACRA for example allows you to catch crashes and run analytics using your own servers, but can take a good bit of tooling to get it running. We searched for paid SaaS solutions that would allow us the agility and insight of Google, Twitter or Yahoo while keeping it within our own silo, but came up empty handed. If you build a privacy-aware, SaaS app analytics platform, we’ll be your first customers. Call us! Perhaps the Youmi scandal means we won’t be the only one, but it will be the users of those 150 kicked apps that decide what the consequences are.