In May 2022, Google announced Google Play SDK Index. This is part of their efforts to provide more information and transparency to developers. According to Google, more than 80% of code that can be found in an average application comes from SDKs. If you think about it for a second, you will realize that a lot of code in an application is not developed by the application developer himself/herself. That’s quite astonishing, really.
Developers particularly care about third party libraries since they can pose several problems:
- Security flaws
- Inflating application size
- Cause crashes/errors
- Complicate dependencies
That’s why it is crucial for developers to know that they can rely on third party libraries. But how can developers know that third party library code is good for them to use? Some developers rely on how many stars a SDK has on GitHub or assuming that if other people use it, then it should be fine. Those options aren’t full proof, though.
Google Play’s SDK Index could help make developers more at ease.
But what does this SDK Index provide to developers? And how does it help you make more informed decisions about choosing a third party library to be used inside your applications?
SDKs For Everyone
The original intention behind choosing a third party library is to not code yourself something that someone else has already done. And hopefully, done proficiently. But each SDK can have a different purpose that it fills. Some may help you display ads, others gather analytical data and so on. That is why Google’s SDK Index is broken down into nine categories:
- Advertising and monetization
- Data management
- Marketing and engagement
- User authentication
- User support
When you click on a specific SDK, you will see a screen that presents a plethora of information about it. The first thing that will grab your attention is whether or not that SDK is part of Google Play’s SDK Console (Registration Badge).
Adjust’s SDK is registered in Google Play SDK Console
The screenshot above shows that Adjust’s SDK is part of Google Play SDK Console and this helps you understand that the people behind this SDK have pledged that their SDK will not cause your application to violate Google Plays’ policies.
As opposed to AppMetrica, which is not part of Google Play SDK Console
How crucial is this factor for you, as a developer, to take into account? That’s mainly for you to say.
Unboxing a SDK
Let’s take a look at all the data that is exposed about every SDK in Google Play’s SDK Index. According to Google it uses “usage data from Google Play apps with SDK code detection” to give you all sorts of insights.
If we take Adjust’s SDK example from above, we can see that the details page of the SDK is separated into several sections:
- SDK details
- Android integration
- SDK adoption by installs
- SDK adoption by version
- Android permissions
- SDK retention by app
- SDK versions
Instead of describing every section, let’s focus on the ones which mean the most to you, the application developer.
In the Android Integration section you can see what is the API level that the SDK has been tested against and what is the minimum API that the SDK requires.
Under the SDK Details section, there is a link to the Data Safety Section Guidance, which will take you to the SDK owner’s website. There you will see how they collect data and what they use it for.
The Android Permissions section, as you may have guessed, shows which permissions the SDK requests.
There is of course an asterisk (⭐️) here, since if you hover over the question mark symbol next to the title you will discover that it:
Shows a list of Android permissions that guard an API(s) that at least one recent version of the SDK is using. An SDK version is considered to be recent if it has been published within the last year. This includes optional usage by the SDK where the SDK doesn’t always require this permission, and may only use it if the app has made it available.
Note: Google Play cannot always detect all permissions used by an SDK.
Joining The Pack
You may be asking yourself, how does a SDK get included in the index? Well, there’s a simple answer for that. It has to meet the following criteria:
- Fall into one of the categories listed above
- Meet active application and user install thresholds
- Distributed through a Maven repository
If you are an owner of the a SDK and you adhere to the rules above and want to be listed in Google Play’s SDK Index, you can fill out the following form.
For the keen eyed, you may have noticed that on point #2, Google is maintaining their ambiguity, since it has not publicly disclosed the thresholds for active application and user installs. You might have also noticed that some of the data Google presents is only for applications with more than a thousand installs.
While this initiative is still quite new, I am looking forward to seeing how it will shape up in the near future. Google aims to provide more information and transparency, but at the current state, it is half way there. There is a lot more to be desired and it will also be interesting to see if (and how) Apple responds to this.
You can check out the full SDK index here:
And the Google Play PolicyBytes where they talk about it here:
This article was originally published on proandroiddev.com on August 26, 2022