> Do their employees not vet any of the code they use, and just slap things together off the internet
That sounds like a pretty accurate description of how software is built. (No, I'm not being flippant.)
> ... and hope it's not doing anything their users don't like?
I expect most don't think too much about it, not out of malice, but because their product manager told them "I want FB login" and to do that, they either spend an afternoon using the FB SDK, or spend a week figuring out how it works, implementing it from scratch themselves, and debugging the inevitable interop issues with whatever oauth2 (or whatever) library they've picked. It's really a no-brainer... few developers can take the week-long route and then justify that to their manager. They'll get fired.
I've worked at places where "cowboy coding" was the norm and people would just look up how to do something on StackOverflow and copy/paste it. But to pull in a major 3rd party dependency like this and just "YOLO" ship it in your company's product? That's almost unbelievable. Didn't anyone have a look to see what the thing does? Assuming the SDK comes with source code, and if they integrated a 3rd party library that doesn't come with the source, even more shame. All it would have taken was a single engineer to notice unexplainable network traffic to a third party at runtime--at any time during development. So much WTF here.
Conversely, I’ve never worked anywhere, in 10+ years, where “we shouldn’t be sending this data to X, it’s bad for our users”, would have got further than the developers. Marketing, Product and management rarely care: in many cases they want the data to go to as many analytics and targeting services as they can.
Since the GDPR came into effect, at least in Germany I notice how product managers and other parties are involved in stuff like this, and not only devs and dev leads.
As an example, 2 weeks ago I had to implement Instabug's SDK for one of our app brands, and created a no-op fake library [0] in order not to shop any Instabug code to the other 5+ apps.
Simply because our PM was afraid of possibly sending stuff to them while not having added them to the privacy policy.
Lots of tempting 3rd party iOS frameworks are binary only without source, such as Google Maps for iOS. Who knows what kind of telemetry and event listeners these frameworks install.
That sounds like a pretty accurate description of how software is built. (No, I'm not being flippant.)
> ... and hope it's not doing anything their users don't like?
I expect most don't think too much about it, not out of malice, but because their product manager told them "I want FB login" and to do that, they either spend an afternoon using the FB SDK, or spend a week figuring out how it works, implementing it from scratch themselves, and debugging the inevitable interop issues with whatever oauth2 (or whatever) library they've picked. It's really a no-brainer... few developers can take the week-long route and then justify that to their manager. They'll get fired.