I've worked at places where "cowboy coding" was the norm and people would just look up how to do something on StackOverflow and copy/paste it. But to pull in a major 3rd party dependency like this and just "YOLO" ship it in your company's product? That's almost unbelievable. Didn't anyone have a look to see what the thing does? Assuming the SDK comes with source code, and if they integrated a 3rd party library that doesn't come with the source, even more shame. All it would have taken was a single engineer to notice unexplainable network traffic to a third party at runtime--at any time during development. So much WTF here.
Conversely, I’ve never worked anywhere, in 10+ years, where “we shouldn’t be sending this data to X, it’s bad for our users”, would have got further than the developers. Marketing, Product and management rarely care: in many cases they want the data to go to as many analytics and targeting services as they can.
Since the GDPR came into effect, at least in Germany I notice how product managers and other parties are involved in stuff like this, and not only devs and dev leads.
As an example, 2 weeks ago I had to implement Instabug's SDK for one of our app brands, and created a no-op fake library [0] in order not to shop any Instabug code to the other 5+ apps.
Simply because our PM was afraid of possibly sending stuff to them while not having added them to the privacy policy.
Lots of tempting 3rd party iOS frameworks are binary only without source, such as Google Maps for iOS. Who knows what kind of telemetry and event listeners these frameworks install.
