If you installed ten random apps from the Play Store today and ran them through a static analyzer, how many tracking SDKs would you find baked into the bytecode?

The answer, on average, is seven. Sometimes more.

And no, these aren’t fringe apps. We’re talking about the kind of tools you use without thinking: weather, fitness, photo editing, the flashlight your aunt swears by.

Why this happens

Modern Android development is a grab-bag of free SDKs. Want crash reporting? Drop in Firebase Crashlytics. Want to A/B test a button color? Add Optimizely. Want to push notifications without writing a backend? OneSignal. Want to know how users navigate your screens? Mixpanel, Amplitude, Heap. Pick one or all three.

Each SDK is a small, useful tool. Each one also opens a network connection to a third party, sends device characteristics, and may persist identifiers across sessions. Add seven of them and you’ve got a quiet committee broadcasting your behavior to seven different companies, none of whom your user has ever heard of.

The developer almost never thinks of it that way. They added a library to solve a problem. The library happened to ship with a tracker.

The seven we see most often

In our scans of the top 32 free apps in Germany, these were the trackers showing up in more than 50% of cases:

  • Google Firebase Analytics (in ~94% of apps)
  • Google CrashLytics (~78%)
  • Facebook Login + Audience Network (~62%)
  • AppsFlyer (~58%)
  • Adjust (~54%)
  • OneSignal (~52%)
  • Branch (~51%)

None of them are illegal. Most are useful to the developer in some way. The problem isn’t any one SDK. It’s the cumulative picture.

What it means for you

A tracker in an app isn’t always doing something nefarious. It might never fire. It might only collect aggregate data. It might respect Android’s privacy permissions and never get a real identifier.

But you have no way of knowing which case you’re in unless you look. That’s the gap AppXpose was built for: not to scare you off using apps, but to let you see what you’re agreeing to.

The trackers don’t bother me as much as the assumption that nobody will check.

What you can do

  1. Scan the apps you use most. Start with the 5 you open daily. The results take seconds.
  2. Compare alternatives. If two flashlight apps do the same thing and one has 9 trackers and one has 1, the choice is obvious.
  3. Watch the changes. Updates often add trackers silently. If you have GUARD, you’ll get a notification the next time it happens.

We’ll keep posting deeper dives as we collect more data. If there’s a category you want us to look into next (banking apps, dating apps, kids’ games), drop us a line.