[johnny_and1]

The problem is not informing the user that you use SDKs from third party providers, although using them for login services (Facebook, Google+, twitter) or tracking (Crashlytics, Microsoft App Insights). The other problem is not knowing exactly what these SDKs can collect. They basically have the same permissions as the apps that include them. Crashlytics will collect and send location data alongside bug reports if the crashed app has this permission. (Source: Study on the most popular 200 apps in Germany done on real network traffic. We don't know if the study will be available for the public.)

We are currently pushing for legislation changes in Europe. Users should be informed about SDKs and data destination. Europe has 3 main data sinkholes, Ireland (EU data centres for US companies), Netherlands (Akamai) and Germany (probably selection bias). Nobody knows where the data ends up afterwards and under which legislation it falls.

[harryf]

This is certainly a good move. The Facebook SDK for example is widely used by many apps for Facebook ad performance tracking and analytics and that's something he public should be aware of.

See https://medium.com/ios-os-x-development/libraries-used-in-th... for example