Your App’s Dark Supply Chain—SDKs, AI And Hidden Tracking

Mobile apps have become an essential part of our daily lives, but they also pose a significant threat to our privacy. Behind every tap, mobile apps leak more data than they admit, and opaque SDKs and embedded AI move data off-device, making it challenging for developers to ensure privacy. This burden of responsibility falls on developers, and making privacy testing a routine practice is crucial for brands to earn back the trust of their users.

The State of Mobile App Privacy

Mobile devices are where customers live, and it’s also where privacy often goes missing. The mobile app is considered the best surveillance tool ever created, and users trade convenience for exposure, while companies trade speed for visibility. The success of any industry depends on the ability to create software applications that can be accessed and used from any device, but mobile security is often overlooked, making it a magnet for attackers and a stress test for trust.

The gap in mobile app privacy shows up in small choices that add up, such as permissive defaults, rushed releases, and libraries dropped in without review. Teams intend to do the right thing, but deadlines hit, SDKs update in the background, and disclosures drift away from reality. This results in apps that feel helpful but quietly spill data to places most people never see.

Understanding the Data and its Implications

Recent testing has painted a pattern of many iOS and Android apps handling sensitive data and calling tracking domains. This doesn’t automatically mean abuse, but it does mean data is moving farther and faster than most risk teams realize. Research from NowSecure has found that a big chunk of iOS apps fail to declare what they collect, and many lack a primary privacy manifest. Almost all are missing the required manifests for third-party SDKs, which is where much of the behavior lives.

The analysis found that over 90% of attestations are wrong, and it’s often not malice, but blind spots. Developers know their code, but they’re less sure about a changing pile of third-party components. AI is accelerating the problem, with almost one in five of the 183,000 apps reviewed using some form of AI, and thousands sending data to external AI endpoints. This adds new data flows, new vendors, and new risks, making it challenging to answer basic questions about what leaves the device, where it goes, and how long it’s kept.

Taking Responsibility and Finding a Solution

The burden of fixing this issue should not fall on the consumer, but rather on the app developer. Trust isn’t a tagline; it’s proof, and you earn it by showing what the app actually does, not by promising what it should do. Security teams must take a proactive approach to mobile application security, incorporating the right tools and processes into development workflows to help release secure mobile applications.

To start, minimize permissions, and map every outbound connection, labeling each destination as first-party, SDK vendor, ad/analytics network, or AI endpoint. Reconcile behavior with disclosures on every release, and govern SDKs like a supply chain. Make privacy testing part of the pipeline, and add automated tests that observe data use at runtime, flag risky flows, and fail builds when something changes. Treat AI endpoints like any other processor, with contracts, controls, monitoring, and kill-switches.

Best Practices for Mobile App Developers

Collect less, keep less, share less, and prove it with evidence that can be handed to auditors, customers, and executives. Regulatory pressure is rising, with GDPR, state privacy laws, and general industry sector rules. The better posture is practical, and teams that build continuous visibility now, especially around SDKs and AI, will be ready for the future. Teams that wait will be guessing, and it requires discipline to see what the app really does, reduce it to the minimum, make the disclosures match, and keep checking as code and components change.