▸Example AppsFlyer call (the "before")
import AppsFlyerLib
// ATT prompt path — required before AppsFlyer reads IDFA:
ATTrackingManager.requestTrackingAuthorization { _ in
AppsFlyerLib.shared().start()
AppsFlyerLib.shared().logEvent("af_purchase", withValues: [
AFEventParamRevenue: price,
AFEventParamCurrency: "USD",
AFEventParamContentId: sku,
])
}Closed-source analytics SDKs require you to trust vendor claims about behaviour. Open-source SDKs let your security team verify those claims from source. For regulated industries this is often a procurement-gating requirement. Respectlytics's SDKs are MIT-licensed and fully open; the server is AGPL-3.0.
☑Remove AppsFlyer cleanly
-
1
Remove the AppsFlyer SDK from your build (
AppsFlyerFramework/af-android-sdk/react-native-appsflyer/appsflyer_sdk) -
2
Remove
AppsFlyerLib.shared().start()andlogEvent(...)call sites -
3
Re-check your
Info.plistforNSUserTrackingUsageDescription— if no other SDK needs ATT, remove it (Apple flags apps that ship the key without code that callsATTrackingManager) -
4
Re-check your Android merged manifest for
com.google.android.gms.permission.AD_IDand remove the corresponding<uses-permission>if no other SDK contributes it -
5
Plan how you'll attribute installs without AppsFlyer — Apple SKAdNetwork + Google Play Install Referrer (both first-party, no SDK needed) cover most cases
⇋AppsFlyer vs Respectlytics — open-source sdk + server
| AppsFlyer | Respectlytics | |
|---|---|---|
| SDK source publicly available | — see tool note above | Yes (MIT) |
| Server source publicly available | — typically no | Yes (AGPL-3.0) |
| Reproducible builds from source | — varies | Yes (CI publishes from same commit) |
| Fork-and-modify allowed | — varies by license | Yes |
| Public commit history | — typically no | Yes (GitHub) |
❓Frequently asked questions
Where can we audit the source?
GitHub: github.com/respectlytics. Each SDK has its own repository with source, tests, CI configuration, and release tags. The server lives in a separate repo with the same conventions.
Are the published binaries reproducible from source?
Yes — CI builds use deterministic build commands. The artifacts published to CocoaPods / SPM / Maven Central / npm / pub.dev are produced by the same pipeline that runs against each commit. Reproducible builds are a goal we test against; report any discrepancy as an issue.
Can we modify the SDK and ship our fork?
Yes — MIT permits modification and redistribution with attribution. Many enterprises fork to adjust logging, add internal tracing, or vendor the SDK into their build.
Why MIT for SDK and AGPL for server?
Standard split for source-available SaaS (GitLab, Sentry, MinIO, Plausible). MIT on the SDK maximises consumer freedom — your app picks up the dependency without obligation. AGPL on the server prevents competing closed-source SaaS forks while allowing internal self-hosting freely.