The Software That Spies on Other Software

Open any free app on your phone and somewhere inside it, dozens of invisible programs spring to life. They watch where you tap, how long you linger, what you buy, and where you go. These programs are not made by the company whose app you downloaded. They belong to an industry most users have never heard of, one that quietly powers a massive surveillance economy operating in plain sight.

The tools are called software development kits, or SDKs. They are pieces of code that app developers embed in their products to handle tasks like analytics, advertising, crash reporting, and payments. Each one tracks something. Together, they create one of the most extensive data collection networks ever built.

Inside the Average App

Recent investigations show that popular mobile apps contain an average of 18 third-party SDKs, with some integrating over 50 different SDKs. A separate 2026 analysis found that typical apps use between 10 and 30 such kits, depending on category. Apps with 100 to 500 million downloads use roughly 23 SDKs on average.

Each SDK transmits data to servers controlled by companies other than the app developer. This creates what privacy researchers call distributed liability. When users agree to one app’s privacy policy, they often unknowingly consent to data sharing with dozens of third parties they have never heard of.

The Big Players in the Surveillance Industry

Companies like AppsFlyer, Adjust, Branch, Singular, and Kochava dominate the mobile attribution and analytics market. AppsFlyer alone serves over 15,000 brands and one in three Fortune 500 companies. These platforms specialize in tracking which advertisement led to which install, what users do inside apps afterward, and how much revenue each marketing channel generates.

Beyond attribution, other SDKs handle different surveillance functions. Firebase from Google collects behavioral data. Meta’s SDK was historically embedded in thousands of third-party apps to feed information back to Facebook. Crash reporting tools, advertising networks, and even user authentication libraries all collect their own streams of data.

What They Actually Collect

A 2017 SafeDK report found that over 50 percent of Android apps have at least one SDK trying to access location data, one in 10 can access the microphone, and 40 percent have SDKs that read the list of other installed apps on a device. The list of installed apps is particularly valuable for profiling because users cannot block this access through Android permissions.

A more recent academic study examined 158 widely-used SDKs and found that 37 percent over-collect private data beyond what they disclose. Over 88 percent falsely claim their data collection scope in their privacy policies. After 12 months of follow-up, researchers found no meaningful improvement in these practices.

The Billion-Dollar Settlements

The surveillance economy operates in a legal gray zone, but enforcement is catching up. In 2022, Google paid 391.5 million dollars to settle claims from 40 states that the company misled users about location tracking through Android apps and embedded SDKs. The lawsuit alleged Google continued collecting location data even after users disabled tracking.

Facebook settled for 90 million dollars in 2021 over allegations that its SDK collected user data from thousands of third-party apps. TikTok paid 92 million dollars to resolve claims that SDKs collected biometric information, including facial recognition data, without proper consent under Illinois law. In 2025, Tractor Supply was fined 1.35 million dollars for maintaining a non-functional opt-out form while third-party trackers continued to operate.

The Apple Crackdown and Its Limits

In April 2021, Apple launched App Tracking Transparency with iOS 14.5, requiring apps to ask users for permission before tracking them across other apps and websites. The impact was immediate. Only about 35 percent of iOS users now provide consent to share their advertising identifier.

The crackdown has not been smooth. France’s competition authority fined Apple 150 million euros in March 2025 for anticompetitive conduct, ruling that Apple gave itself favorable conditions for its own advertising services while imposing stricter rules on third-party developers. Germany and Poland opened parallel investigations. Apple’s iOS 26, released in 2025, added blocks against device fingerprinting, a workaround tracking method used when advertising IDs are unavailable.

Privacy Theater and What Comes Next

Regulators have started focusing on what researchers call privacy theater, where apps display compliant-looking consent banners while their actual data flows ignore user choices. The European Data Protection Board’s 2026 enforcement actions specifically target apps whose back-end behavior contradicts their stated policies.

For ordinary users, the practical options remain limited. iOS allows tracking control through ATT, but Android lacks a native equivalent and requires third-party tools to block trackers. Disabling unnecessary app permissions helps reduce data exposure, but the structural problem remains. Until developers face stronger incentives to audit what their embedded code actually does, the surveillance machinery inside everyday apps will keep running, mostly invisible to the people generating its data.