Third-party SDK data collection declared in privacy manifests and store forms

Why it matters

Apple and Google both require that third-party SDK data collection appear in your app's privacy declarations — even data your own code never touches directly. SDKs like AppsFlyer, AdMob, and Meta Audience Network collect device identifiers, IP addresses, and app-usage signals that must be declared under GDPR Art.28 (processor relationships), GDPR Art.13 (disclosure), CCPA §1798.140(t) (sale/sharing disclosure), and COPPA §312.5 for children's data. On iOS, initialising tracking SDKs before ATT authorisation is obtained compounds the violation — the SDK reads IDFA without user consent, which is grounds for immediate rejection.

Remediation

For each ad or analytics SDK, find its privacy disclosure documentation and map its data types to App Store nutrition label categories and Google Data Safety types. For iOS tracking SDKs, initialise them only after ATT authorisation:

ATTrackingManager.requestTrackingAuthorization { status in
  if status == .authorized {
    // Initialize AppsFlyer, Meta, etc.
  } else {
    // Initialize with limited data mode
  }
}

For GDPR contexts, integrate the Google UMP (User Messaging Platform) SDK before initialising AdMob. Run find ios/ -name PrivacyInfo.xcprivacy to confirm all SDK pods include their own manifests.

Detection

ID: app-store-privacy-data.privacy-declarations.third-party-sdk-declarations
Severity: high
What to look for: Count all relevant instances and enumerate each. For each ad and analytics SDK detected in Stack Detection, verify its data collection is reflected in the app's privacy declarations. Key patterns to check: (a) AdMob/Google Mobile Ads — collects advertising ID (GAID/IDFA), IP address, device info. Verify GADMobileAds.sharedInstance().requestConfiguration is configured; check if NSUserTrackingUsageDescription is set (required for IDFA on iOS); on Android check for the <meta-data android:name="com.google.android.gms.ads.APPLICATION_ID"> entry in AndroidManifest.xml and that Data Safety declares device IDs shared with Google. (b) Meta Audience Network — collects IDFA/AAID, app usage data. Check Settings.setAdvertiserIDCollectionEnabled(false) is NOT used without a corresponding Data Safety update. (c) Firebase Analytics — collects device identifiers, app events. Check FirebaseAnalytics.setAnalyticsCollectionEnabled(false) is not accidentally disabling analytics while the Data Safety form claims it's collected. (d) AppsFlyer/Adjust/Branch — mobile measurement partners that collect and share device IDs. Verify their SDKs are initialized with proper ATT/consent handling and their data sharing is declared. For React Native, look for AppsflyerSdk, Adjust, BranchIO imports and initialization calls. For Flutter, look in pubspec.yaml and initialization files.
Pass criteria: All ad and analytics SDKs detected in code have their data collection types declared in the app's iOS nutrition labels and/or Android Data Safety form. At least 1 implementation must be verified. SDK initialization follows platform consent requirements.
Fail criteria: An ad or analytics SDK is initialized in code but its data collection is not reflected in privacy declarations; or SDK is initialized without ATT consent gating on iOS (for tracking SDKs).
Skip (N/A) when: No ad or analytics SDKs detected in the project.
Detail on fail: "AppsFlyer SDK initialized in App.tsx with no ATT check — collects IDFA before user consent on iOS" or "Meta Audience Network detected in android/app/build.gradle but Data Safety form not found — Meta collects device IDs that must be declared"
Remediation: Apple and Google both require that third-party SDK data collection be reflected in your app's privacy declarations, even if your own code doesn't collect that data directly.
1. For each SDK, find its privacy disclosure documentation and map its collected types to App Store nutrition label categories and Google Data Safety types
2. For iOS tracking SDKs, initialize them only after ATT authorization:
```
ATTrackingManager.requestTrackingAuthorization { status in
  if status == .authorized {
    // Initialize AppsFlyer, Meta, etc.
  } else {
    // Initialize with limited data mode
  }
}
```
3. For Google Mobile Ads with GDPR, use the User Messaging Platform (UMP) SDK to collect consent before initializing ads

External references

gdpr · Art.28 — Processor obligations and data processing agreements

gdpr · Art.13 — Information to be provided where personal data are collected from the data subject

ccpa · §1798.140(t) — Definition of 'sale' of personal information

coppa · §312.5 — Parental consent — operators must obtain verifiable parental consent before any collection or use

Why it matters

Remediation

ATTrackingManager.requestTrackingAuthorization { status in
  if status == .authorized {
    // Initialize AppsFlyer, Meta, etc.
  } else {
    // Initialize with limited data mode
  }
}

For GDPR contexts, integrate the Google UMP (User Messaging Platform) SDK before initialising AdMob. Run find ios/ -name PrivacyInfo.xcprivacy to confirm all SDK pods include their own manifests.

Detection

ID: app-store-privacy-data.privacy-declarations.third-party-sdk-declarations
Severity: high
What to look for: Count all relevant instances and enumerate each. For each ad and analytics SDK detected in Stack Detection, verify its data collection is reflected in the app's privacy declarations. Key patterns to check: (a) AdMob/Google Mobile Ads — collects advertising ID (GAID/IDFA), IP address, device info. Verify GADMobileAds.sharedInstance().requestConfiguration is configured; check if NSUserTrackingUsageDescription is set (required for IDFA on iOS); on Android check for the <meta-data android:name="com.google.android.gms.ads.APPLICATION_ID"> entry in AndroidManifest.xml and that Data Safety declares device IDs shared with Google. (b) Meta Audience Network — collects IDFA/AAID, app usage data. Check Settings.setAdvertiserIDCollectionEnabled(false) is NOT used without a corresponding Data Safety update. (c) Firebase Analytics — collects device identifiers, app events. Check FirebaseAnalytics.setAnalyticsCollectionEnabled(false) is not accidentally disabling analytics while the Data Safety form claims it's collected. (d) AppsFlyer/Adjust/Branch — mobile measurement partners that collect and share device IDs. Verify their SDKs are initialized with proper ATT/consent handling and their data sharing is declared. For React Native, look for AppsflyerSdk, Adjust, BranchIO imports and initialization calls. For Flutter, look in pubspec.yaml and initialization files.
Pass criteria: All ad and analytics SDKs detected in code have their data collection types declared in the app's iOS nutrition labels and/or Android Data Safety form. At least 1 implementation must be verified. SDK initialization follows platform consent requirements.
Fail criteria: An ad or analytics SDK is initialized in code but its data collection is not reflected in privacy declarations; or SDK is initialized without ATT consent gating on iOS (for tracking SDKs).
Skip (N/A) when: No ad or analytics SDKs detected in the project.
Detail on fail: "AppsFlyer SDK initialized in App.tsx with no ATT check — collects IDFA before user consent on iOS" or "Meta Audience Network detected in android/app/build.gradle but Data Safety form not found — Meta collects device IDs that must be declared"
Remediation: Apple and Google both require that third-party SDK data collection be reflected in your app's privacy declarations, even if your own code doesn't collect that data directly.
1. For each SDK, find its privacy disclosure documentation and map its collected types to App Store nutrition label categories and Google Data Safety types
2. For iOS tracking SDKs, initialize them only after ATT authorization:
```
ATTrackingManager.requestTrackingAuthorization { status in
  if status == .authorized {
    // Initialize AppsFlyer, Meta, etc.
  } else {
    // Initialize with limited data mode
  }
}
```
3. For Google Mobile Ads with GDPR, use the User Messaging Platform (UMP) SDK to collect consent before initializing ads

External references

gdpr · Art.28 — Processor obligations and data processing agreements

gdpr · Art.13 — Information to be provided where personal data are collected from the data subject

ccpa · §1798.140(t) — Definition of 'sale' of personal information

coppa · §312.5 — Parental consent — operators must obtain verifiable parental consent before any collection or use

Third-party SDK data collection declared in privacy manifests and store forms

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Third-party SDK data collection declared in privacy manifests and store forms

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History