Ad SDK configuration and Families certification compliance

ab-000476 · app-store-privacy-data.tracking-advertising.ad-sdk-compliance

Severity: lowactive

Why it matters

Test ad unit IDs left in production builds display test ads instead of real ads, generating zero revenue while consuming real user impressions. More critically, a missing GADApplicationIdentifier in Info.plist or AndroidManifest.xml causes the AdMob SDK to crash at initialisation — your app fails immediately on launch for all users running production builds. For Kids category apps, unconfigured tagForChildDirectedTreatment violates COPPA §312.5 and GDPR Art.8 by allowing behavioural targeting of children, which carries FTC penalties up to $50,120 per violation per day.

Severity rationale

Low because test IDs cause revenue loss and configuration crashes rather than security breaches, but the crash from a missing Application ID is a complete production failure.

Remediation

Move ad unit IDs out of source and into build-time configuration. With Expo's app.config.ts:

extra: {
  admobUnitId: process.env.EXPO_PUBLIC_ADMOB_UNIT_ID,
}

For Kids category apps, set child-directed treatment before any ad request:

GADMobileAds.sharedInstance().requestConfiguration.tagForChildDirectedTreatment = true

Search for ca-app-pub-3940256099942544 in the codebase to find test unit IDs — any match in a non-test file path is a production build risk. Confirm GADApplicationIdentifier is present in Info.plist and the AdMob Application ID in AndroidManifest.xml before every release.

Detection

ID: ad-sdk-compliance
Severity: low
What to look for: Count all relevant instances and enumerate each. Check ad SDK configuration for policy compliance: (a) Google AdMob — verify GADApplicationIdentifier (or ca-app-pub-...~... ID) is set correctly in Info.plist and AndroidManifest.xml (required or app crashes on initialization); check for test ad unit IDs (ca-app-pub-3940256099942544/...) left in production code. (b) Google Families Policy — if the app is in a Kids category or targets children, verify tagForChildDirectedTreatment is set to true in AdMob request configuration and that the ad network participates in the Google Certified Publishing Partner program. (c) Meta Audience Network — check for limitedEventUse flag if targeting EU users; check for setDataProcessingOptions call for CCPA compliance. (d) General — verify no ad unit IDs are hardcoded in source control without being environment-specific; look for ad loading calls in useEffect without cleanup (memory leaks). Flag test ad unit IDs in what appears to be production code.
Pass criteria: Ad SDKs are configured with production (not test) ad unit IDs in production builds. At least 1 implementation must be verified. Child-directed treatment is properly configured for children's apps. No obvious policy violations in SDK configuration.
Fail criteria: Test ad unit IDs present in production code paths; tagForChildDirectedTreatment not set for apps targeting children; Ad SDK application ID missing (causes crash).
Skip (N/A) when: No ad SDKs detected in the project.
Detail on fail: "Google AdMob test ad unit ID 'ca-app-pub-3940256099942544/6300978111' found in src/screens/HomeScreen.tsx — production builds will show test ads, not real ads" or "GADApplicationIdentifier not found in Info.plist — AdMob SDK will crash on initialization"
Remediation: Test ad unit IDs in production are a policy violation and cause revenue loss. Missing application IDs cause crashes during review.
1. Move ad unit IDs to environment variables or build configuration, never hardcode in source
2. Use build-time substitution in Expo with app.config.ts extra fields:
```
extra: {
  admobUnitId: process.env.EXPO_PUBLIC_ADMOB_UNIT_ID,
}
```
3. For children's apps, configure child-directed treatment before any ad request:
```
GADMobileAds.sharedInstance().requestConfiguration.tagForChildDirectedTreatment = true
```
Cross-reference: For related patterns and deeper analysis, see the corresponding checks in other AuditBuffet audits covering this domain.

External references

coppa · §312.5 — Parental consent — child-directed treatment configuration required
ccpa · §1798.120 — Right to opt-out of sale of personal information
gdpr · Art.8 — Conditions applicable to child's consent in relation to information society services

Taxons

regulatory-conformance placeholder-hygiene

History

2026-04-18·v1.0.0·Initial import from app-store-privacy-data·automated

Why it matters

Remediation

Move ad unit IDs out of source and into build-time configuration. With Expo's app.config.ts:

extra: {
  admobUnitId: process.env.EXPO_PUBLIC_ADMOB_UNIT_ID,
}

For Kids category apps, set child-directed treatment before any ad request:

GADMobileAds.sharedInstance().requestConfiguration.tagForChildDirectedTreatment = true

Detection

ID: ad-sdk-compliance
Severity: low
What to look for: Count all relevant instances and enumerate each. Check ad SDK configuration for policy compliance: (a) Google AdMob — verify GADApplicationIdentifier (or ca-app-pub-...~... ID) is set correctly in Info.plist and AndroidManifest.xml (required or app crashes on initialization); check for test ad unit IDs (ca-app-pub-3940256099942544/...) left in production code. (b) Google Families Policy — if the app is in a Kids category or targets children, verify tagForChildDirectedTreatment is set to true in AdMob request configuration and that the ad network participates in the Google Certified Publishing Partner program. (c) Meta Audience Network — check for limitedEventUse flag if targeting EU users; check for setDataProcessingOptions call for CCPA compliance. (d) General — verify no ad unit IDs are hardcoded in source control without being environment-specific; look for ad loading calls in useEffect without cleanup (memory leaks). Flag test ad unit IDs in what appears to be production code.
Pass criteria: Ad SDKs are configured with production (not test) ad unit IDs in production builds. At least 1 implementation must be verified. Child-directed treatment is properly configured for children's apps. No obvious policy violations in SDK configuration.
Fail criteria: Test ad unit IDs present in production code paths; tagForChildDirectedTreatment not set for apps targeting children; Ad SDK application ID missing (causes crash).
Skip (N/A) when: No ad SDKs detected in the project.
Detail on fail: "Google AdMob test ad unit ID 'ca-app-pub-3940256099942544/6300978111' found in src/screens/HomeScreen.tsx — production builds will show test ads, not real ads" or "GADApplicationIdentifier not found in Info.plist — AdMob SDK will crash on initialization"
Remediation: Test ad unit IDs in production are a policy violation and cause revenue loss. Missing application IDs cause crashes during review.
1. Move ad unit IDs to environment variables or build configuration, never hardcode in source
2. Use build-time substitution in Expo with app.config.ts extra fields:
```
extra: {
  admobUnitId: process.env.EXPO_PUBLIC_ADMOB_UNIT_ID,
}
```
3. For children's apps, configure child-directed treatment before any ad request:
```
GADMobileAds.sharedInstance().requestConfiguration.tagForChildDirectedTreatment = true
```
Cross-reference: For related patterns and deeper analysis, see the corresponding checks in other AuditBuffet audits covering this domain.