▸Example AppsFlyer call (the "before")
import AppsFlyerLib
// ATT prompt path — required before AppsFlyer reads IDFA:
ATTrackingManager.requestTrackingAuthorization { _ in
AppsFlyerLib.shared().start()
AppsFlyerLib.shared().logEvent("af_purchase", withValues: [
AFEventParamRevenue: price,
AFEventParamCurrency: "USD",
AFEventParamContentId: sku,
])
}Every third-party SDK is a supply-chain surface — manifest permissions, network endpoints, transitive dependencies. The biggest reduction in privacy footprint often comes from simply shipping fewer SDKs. Respectlytics has zero ads, attribution, or routing dependencies — it's one HTTPS endpoint.
☑Remove AppsFlyer cleanly
-
1
Remove the AppsFlyer SDK from your build (
AppsFlyerFramework/af-android-sdk/react-native-appsflyer/appsflyer_sdk) -
2
Remove
AppsFlyerLib.shared().start()andlogEvent(...)call sites -
3
Re-check your
Info.plistforNSUserTrackingUsageDescription— if no other SDK needs ATT, remove it (Apple flags apps that ship the key without code that callsATTrackingManager) -
4
Re-check your Android merged manifest for
com.google.android.gms.permission.AD_IDand remove the corresponding<uses-permission>if no other SDK contributes it -
5
Plan how you'll attribute installs without AppsFlyer — Apple SKAdNetwork + Google Play Install Referrer (both first-party, no SDK needed) cover most cases
⇋AppsFlyer vs Respectlytics — fewer third-party sdks
| AppsFlyer | Respectlytics | |
|---|---|---|
| Direct ad / tracking dependencies | — see tool note above | Zero |
| Pulls Google Play Services | — typically yes | No |
| Auto-merged manifest permissions | Often (AD_ID, ACCESS_NETWORK_STATE, etc.) | None added |
| Number of HTTP endpoints contacted | Multiple (varies) | One (Respectlytics API) |
| Open-source SDK | — varies by tool | Yes (MIT-licensed) |
❓Frequently asked questions
How do we audit our current dependency tree?
iOS: swift package show-dependencies (SPM) or pod outdated (CocoaPods) lists the tree. Android: ./gradlew :app:dependencies --configuration releaseRuntimeClasspath. RN: npm ls --all. Flutter: flutter pub deps. Our [Dependency Privacy Scanner](/tools/dependency-privacy-scanner/) parses lockfiles from any of these and tells you which deps are forcing which privacy labels.
What if we still need install attribution?
First-party alternatives without an SDK: Apple SKAdNetwork (iOS), AdAttributionKit (iOS 17.4+), Google Play Install Referrer API (Android). These are built into the OS — your ads platform reads them directly. No mobile SDK required.
What about crash reporting and push notifications?
Those are separate concerns with their own SDKs — Sentry / Crashlytics / Bugsnag for crashes; OneSignal / FCM / APNs for push. Respectlytics doesn't bundle them in; you pick the dedicated SDK for each surface.
Does shipping fewer SDKs measurably improve app size or cold start?
Often, yes — measurably. Removing Firebase + AppsFlyer + Segment from a typical RN app can shave several megabytes of bundle and 100-300ms off cold start. See the [SDK Bundle-Size Comparator](/tools/sdk-bundle-size-comparator/) for specific numbers.