TL;DR: Mobile apps tend to accumulate analytics, attribution, advertising, crash-reporting, and feature-flag SDKs over time, each justified individually and rarely audited as a portfolio. The cumulative cost is non-trivial: tens of megabytes of binary size, hundreds of milliseconds of cold-start latency, measurable battery and data overhead, and a privacy permission surface that gets harder to defend with each new regulator update. The telemetry value of each SDK varies wildly. In advisory work we have repeatedly seen the operating teams retain SDKs whose value to the business is close to zero and drop ones that quietly do load-bearing work. This essay maps the trade-off honestly: how to measure the cost, how to estimate the telemetry value, and how to decide what to keep.
A note on the named companies. Adjust, AppsFlyer, Branch, Firebase, Amplitude, Mixpanel, Datadog, Sentry, and Crashlytics appear as well-known examples of the SDK classes discussed, not as data sources. Quantitative figures come from public Apple, Google, and academic mobile-performance literature and from advisory work with anonymized partner operators in commerce, gaming, and consumer-utility app archetypes, not from those vendors themselves.
The Default Mobile SDK Stack and How It Grew
A modern consumer mobile app, at scale, ships with somewhere between five and fifteen third-party SDKs by the time it reaches its first major release. The composition is predictable: one or two analytics SDKs (Firebase Analytics, Amplitude, Mixpanel), an attribution SDK (Adjust, AppsFlyer, Branch, or the Apple-native SKAdNetwork/AdAttributionKit if iOS-only), one or two advertising SDKs (Google Mobile Ads, Meta Audience Network, or a mediation layer like AppLovin MAX), a crash-reporting SDK (Crashlytics, Sentry, or Bugsnag), an APM or observability SDK (Datadog, New Relic, or one of the open-source agents), a feature-flag SDK (LaunchDarkly, Split, or an in-house alternative), occasionally a CRM SDK (Braze, OneSignal, CleverTap), and one or more single-purpose SDKs for specific business requirements (a payment processor's SDK, a customer-support chat SDK, a deep-linking helper).
Each individual SDK was added for a reason. The analytics SDK because the team needed to track funnel events. The attribution SDK because the marketing team needed to know which paid channel drove which install. The crash reporter because the engineering team needed visibility into production crashes. None of the individual decisions were wrong in isolation. The portfolio effect is the problem.
The portfolio effect compounds in three dimensions. The first is binary size: each SDK is a static library or framework that adds bytes to the app. Apple's App Store Connect documentation on app thinning and on-demand resources, and Google's Android App Bundle documentation, both acknowledge that binary size affects install-conversion and update rates, with the conversion penalty growing sharply above 100MB on iOS and 150MB on Android. The second dimension is initialization cost: each SDK runs initialization code at app start, and the work compounds into cold-start latency. The third dimension is runtime cost: SDKs poll, batch, send network requests, and occasionally hold wake locks; the runtime cost is harder to measure than the size cost but compounds over the user's session.
The aggregate portfolio is rarely audited as a portfolio. The individual SDK decisions are made by individual teams (marketing, engineering, growth, analytics) with individual budget approval, and the portfolio review, the question of whether the cumulative cost is justified by the cumulative telemetry value, often does not happen until a performance regression or a privacy-regulator inquiry forces it.
What the Overhead Actually Costs
The cost of an SDK has four measurable components: binary size, cold-start time, runtime overhead (CPU, battery, data), and the privacy permission surface. Each component has been studied independently in the mobile-performance literature, and the numbers, while they vary by SDK and by app architecture, are large enough to merit a portfolio audit.
Binary size. Apple's research on app size and install conversion has been the most frequently cited reference point. Google's documentation on Android App Bundle sizes shows similar effects in their internal data. The published guidance from both platforms is that every additional 6MB or so of app size produces a measurable reduction in install conversion rate, with the effect compounding as the app crosses the cellular-download threshold (200MB on iOS, 200MB on most Android carriers as of recent updates). Individual SDKs vary by an order of magnitude: a tightly-engineered crash reporter can ship at under 1MB, while an attribution SDK with bundled ad-network adapters can exceed 15MB.
Cold-start time. Apple's WWDC 2019 session "Optimizing App Launch" and the more recent WWDC 2023 session "Analyze hangs with Instruments" document the cold-start phases (pre-main, dyld loading, framework initialization, app delegate initialization, first-frame rendering) and the measurement methodology. The pre-main phase, before the app's main() function runs, scales linearly with the number of dynamic frameworks the app loads. Each SDK that links as a dynamic framework adds to this phase. A common pattern we have measured in partner audits is 300 to 800 milliseconds of additional pre-main time on a phone with ten or more SDKs, compared to a baseline app with two or three.
Runtime CPU and battery. Android Vitals (Google's performance dashboard exposed through Play Console) tracks battery drain, ANRs (Application Not Responding events), and excessive wake-up frequency. SDKs that maintain background connections, perform periodic location lookups, or batch-send events at fixed intervals contribute to all three. The cumulative effect on a typical user's session is a 2 to 8 percent battery overhead in our partner data, with attribution and advertising SDKs being the heaviest contributors and crash reporters being the lightest.
Network and data. Each SDK that sends telemetry consumes network bytes and, on cellular, contributes to the user's data bill. The aggregate is usually small per session but non-trivial when the user is roaming or on a metered connection. The privacy frame interacts here: a user who has not consented to analytics on a regulated jurisdiction's app should not be paying data costs to send analytics events.
Approximate Cost Profile of Common Mobile SDK Classes (Composite from Public Specs and Partner Audits)
| SDK Class | Typical Binary Size (MB) | Pre-Main Contribution (ms) | Runtime CPU Overhead | Privacy Permission Surface |
|---|---|---|---|---|
| Analytics (Firebase, Amplitude, Mixpanel) | 2-5 | 30-80 | Low (batched event sending) | Identifier access, possibly IDFA on iOS |
| Attribution (Adjust, AppsFlyer, Branch) | 5-15 | 50-150 | Moderate (install referrer, deferred deep links) | IDFA on iOS, Advertising ID on Android, possibly device fingerprinting |
| Ad SDK + Mediation (Google Mobile Ads, AppLovin MAX) | 8-20 | 100-300 | High (ad fetch, render, viewability) | IDFA, Advertising ID, possibly location and contacts |
| Crash reporter (Crashlytics, Sentry, Bugsnag) | 1-3 | 20-60 | Very low (passive symbolic capture) | Minimal; device model, OS, app state at crash |
| APM / Observability (Datadog, New Relic) | 3-8 | 40-120 | Moderate (network instrumentation, trace export) | Network endpoints, possibly user identifiers |
| Feature flags (LaunchDarkly, Split) | 1-3 | 20-60 | Low (periodic flag refresh) | User identifier for targeting |
| CRM (Braze, OneSignal, CleverTap) | 3-7 | 50-120 | Moderate (in-app messages, push tokens) | Push notification permission, possibly location |
The headline number from this table is that a moderately-instrumented app, with one SDK from each row, carries 23 to 61MB of SDK binary, 310 to 890 milliseconds of pre-main initialization, and a privacy permission surface that includes at minimum the IDFA / Advertising ID, push notifications, and one or more user identifiers across vendors. The cost is real, and it is paid by every user of the app, including users from whom the operator extracts no telemetry value.
What the Telemetry Is Actually Worth
The other side of the trade-off is the value the SDKs produce. The value is harder to measure than the cost, because the costs are technical and direct while the values are economic and indirect, but the value can be decomposed into four categories: revenue-decision telemetry, product-improvement telemetry, debugging and reliability telemetry, and compliance telemetry. The categories differ in how directly they map to operating decisions.
Revenue-decision telemetry. Attribution SDKs, advertising SDKs, and revenue-tracking analytics produce data that directly drives marketing-spend decisions. If the attribution SDK is off or misconfigured, the marketing team cannot allocate budget across paid channels; the budget either gets misallocated or paused entirely while the data gap is debugged. The value here is high but conditional on the marketing function actually using the data. In partner audits we have done, a meaningful share of operators have an attribution SDK installed but no active mobile marketing budget; the SDK is paying its cost (binary size, cold start, privacy permission) and returning no revenue.
Product-improvement telemetry. Funnel events, behavioral cohorts, A/B test outcomes, and feature-usage telemetry feed the product team's decision loop. The value scales with the maturity of the product analytics program. A team that has a quarterly retention review that uses event data is extracting value; a team that has dashboards nobody opens is paying the cost without realizing the value. The fraction of installed analytics SDKs that produce actionable product decisions is, in our experience, lower than most operators believe.
Debugging and reliability telemetry. Crash reporting, APM, and error-tracking SDKs produce telemetry that the engineering team uses to fix bugs and improve reliability. This is the category with the highest unit value per SDK and the lowest cost: a crash reporter that surfaces a regression in production before it produces a thousand support tickets pays for itself many times over. The crash-reporter class is the one SDK class we rarely recommend reducing.
Compliance telemetry. Consent management platforms, audit log SDKs, and certain analytics SDKs configured for compliance-mode operation produce data that satisfies regulatory requirements. The value here is binary: the data is needed to defend the business in a regulator audit, or it is not. The classification depends on the jurisdiction and the data category.
The value distribution is heavily right-skewed. A small number of SDK installations carry most of the telemetry value (crash reporters, primary analytics, attribution when marketing spend justifies it). A long tail of SDK installations produces marginal value at the same cost. The portfolio audit is the process of distinguishing the head from the tail.
The Privacy Permission Surface
The 2021 release of iOS 14.5, which introduced App Tracking Transparency (ATT) and required apps to obtain explicit user consent before accessing the IDFA (Identifier for Advertisers), was the most consequential mobile privacy change of the last decade. The economic effect on the mobile-attribution and mobile-advertising ecosystem has been substantial: published figures from major attribution vendors and from public earnings calls suggested ATT opt-in rates in the 20 to 40 percent range, varying by app category and prompt timing, with a corresponding reduction in IDFA-based attribution coverage. The exact opt-in rate is debated and is now a moving target as users have habituated to the prompt; in advisory work we have observed rates anywhere from a low of 15 percent to a high of 60 percent depending on the app category and the framing of the prompt.
The Android equivalent, the Google Privacy Sandbox initiative and the progressive deprecation of the Advertising ID for unconsented users, is on a slower timeline but trending in the same direction. The European GDPR and the California CCPA (now CPRA) and the more recent state-level privacy laws (Virginia, Colorado, Connecticut, Utah, Texas, Florida, Oregon, and the federal proposals) impose consent requirements that interact with the SDK stack: many SDKs require consent before they can operate at all, and the consent management platform itself is another SDK with its own cost profile.
The aggregate effect on the SDK trade-off is that the privacy permission surface has become a first-order cost, not a footnote. An SDK that requires the user to accept a privacy prompt at app launch contributes to prompt fatigue, which reduces opt-in rates across all of the prompts the app shows. The marginal cost of adding another SDK that needs a consent prompt is not just the technical cost; it is the reduction in opt-in rate for the prompts that already exist.
The European Data Protection Board's Guidelines 04/2020 on the use of location data and contact tracing tools and the subsequent national-DPA enforcement actions on mobile app analytics have established that even pseudonymous behavioral data falls under GDPR. The implication is that the analytics SDK that the operator considered low-risk in 2019 became a higher-risk SDK in 2021, and the SDK that was acceptable in 2021 may be borderline in 2026 as the regulator interpretations have tightened. The operator who installed an SDK three years ago and has not re-audited the consent posture since is exposed.
The SDK Bloat Pattern: Why Apps Over-Instrument
The systematic pattern of mobile-app over-instrumentation is not the result of any single bad decision. It is the result of an accumulation of individually-defensible decisions made by different teams over the life of the app. The pattern has a few characteristic features.
Asymmetric ownership. The team that installs an SDK is usually not the team that pays the performance cost. The marketing team installs the attribution SDK; the engineering team that owns app launch performance pays the pre-main cost. The growth team installs the deep-linking SDK; the user who experiences the cold-start delay pays the cost. The asymmetry means that each individual decision is made with full visibility into the benefit and partial visibility into the cost.
Vendor lock-in inertia. Once an SDK is installed, removing it is non-trivial. The events feed downstream dashboards, the attribution IDs feed marketing reports, the user identifiers feed CRM segments. The cost of removal is a migration project; the cost of retention is the continued performance cost. The asymmetry favors retention even when the value has decayed.
The single-incident retention bias. An SDK that produced a useful diagnostic in one past incident gets retained "in case we need it again," even if the routine value is low. The pattern is the cousin of insurance over-purchasing: the operator is paying a continuous premium against a low-probability event. The diagnostic is whether the SDK has produced actionable insight in the past quarter; if not, the operator is paying for capacity that is not being exercised.
The status-signaling SDK. Certain SDKs are installed because peer companies have installed them, not because the value-to-cost ratio is positive. The decision is more about institutional conformance than about extracted value. The portfolio audit can be the only forum in which the status-signaling installation can be questioned.
The structural defense is a portfolio audit run on a regular cadence (annual is reasonable for most operators; semi-annual for higher-velocity ones), with a written justification for every SDK in the stack. The justification has to cite specific recent decisions the SDK supported. If no such decisions can be cited, the SDK is a candidate for removal.
The Mobile-Web Equivalence Problem
A second-order observation worth recording: mobile-app analytics and mobile-web analytics measure different populations, are governed by different privacy regimes, and use largely different SDKs, but the operating teams often try to compare their metrics directly. The comparison is structurally unsound.
A mobile-app session is bounded by the app's lifecycle: from app launch to app suspend, with a session identifier that the SDK manages. A mobile-web session is bounded by inactivity timeout (typically 30 minutes of no events), with a session identifier in a cookie or localStorage. The two definitions produce different session counts for the same underlying user behavior. A user who switches between an app and a web session within minutes is one session by some definitions and two by others.
The attribution-source data also differs. An iOS app's install attribution is gated by SKAdNetwork's privacy-preserving aggregation (no user-level granularity, multi-day delayed conversion windows). A mobile-web visit's attribution is, in the cookie era, deterministic but in the post-cookie era is degrading toward similar privacy-preserving frameworks (Apple's Private Click Measurement, Google's Privacy Sandbox conversion measurement). The mobile-app and mobile-web attribution layers are converging in privacy posture but starting from different points, and the metrics they produce are not directly comparable across the boundary.
The mobile-app and mobile-web measurement boundary and the cross-surface attribution gap
The operating implication is that the SDK stack on the app side and the analytics layer on the web side need to be coordinated at the data-warehouse layer, not at the SDK layer. A user who interacts with both surfaces should be reconciled into a single user-journey record by the warehouse, with the SDKs providing the inputs but not pretending to provide a unified view at the device level. The cost of trying to unify at the device level is more SDKs (cross-platform identifiers, deterministic-match attribution layers), more privacy permission prompts, and a measurement system that is still not coherent.
What to Drop: A Practitioner Inventory
The harder question is what to do about the over-instrumentation, and the answer depends on the operator's specific situation. The general categories of SDK that are most often candidates for removal, in our advisory experience, are these.
Duplicate analytics. When two analytics SDKs are running in parallel, retain the one that the analyst team actually uses for decisions; remove the other. The migration cost is real (event-name mapping, historical-data continuity) but the operating benefit is large.
Unused attribution. An attribution SDK is justified when the operator is spending money on user-acquisition channels that the SDK can attribute. If the operator is spending less than a few tens of thousands of dollars per month on paid mobile acquisition, the attribution SDK may be paying its cost without producing decisions the business uses. The threshold varies by app category and unit economics, but the question is concrete: is the data the SDK produces actually moving a budget decision.
Single-incident retention bias. An SDK retained "in case we need it" but not used in the past two quarters is a candidate for removal. The mitigation strategy is to keep the SDK's documentation and integration code in a feature branch; if the need arises in the future, the SDK can be re-integrated, and in the meantime the active app does not pay the cost.
Mediation when ad revenue is small. An ad mediation SDK is justified when the operator is generating meaningful ad revenue (the threshold is even more app-specific than attribution, but a rough rule is that the SDK should produce at least 10x its true cost in incremental ad revenue versus the next-best alternative). If the operator's ad revenue is small or absent, the mediation SDK is paying a substantial cost (often 10-20MB of binary and 100-300ms of cold start) for capability not being exercised.
Multiple feature-flag SDKs. When an organization grew by acquisition, it is common to inherit two or three feature-flag systems. Consolidating to one is non-trivial but the binary-size and runtime-cost savings are typically large.
Redundant push notification providers. Apps occasionally accumulate multiple CRM and push-notification providers (a legacy provider plus a newer one, or one for messaging plus one for transactional notifications). The consolidation is operationally tricky but worth doing.
Common SDK Removal Candidates and Migration Considerations
| Candidate | Typical Saving | Migration Complexity | Key Risk |
|---|---|---|---|
| Duplicate analytics SDK | 3-8MB binary, 50-150ms cold start, one prompt | Moderate; event-name mapping and historical continuity | Loss of analyst-team familiarity with the dropped tool |
| Unused attribution SDK | 5-15MB binary, 50-150ms cold start, one ATT prompt | Low if marketing is not actively running paid channels; high if winding down | Loss of historical attribution audit trail |
| Ad mediation with low ad revenue | 8-20MB binary, 100-300ms cold start | Low to moderate; requires confirming no active ad revenue | Future ad-revenue plans foreclosed without re-integration |
| Multiple feature-flag systems | 2-6MB binary, 40-100ms cold start, two consents | High; flag migration touches many code paths | Inconsistent flag state during migration window |
| Legacy push provider | 3-7MB binary, 50-100ms cold start, fewer prompts | Moderate to high; user segments need rebuilding | Push delivery gap during cutover |
| Single-incident-retained APM | 3-8MB binary, 40-120ms cold start | Low to moderate; keep documentation for re-integration | Future incident requires a re-integration cycle |
The portfolio audit is not a single project. It is a recurring discipline. New SDKs get added every year; without a regular audit to balance the additions with removals, the portfolio grows monotonically and the cumulative cost compounds. The teams that run a semi-annual SDK review keep the portfolio in approximate equilibrium; the teams that do not run a review accumulate three or four years of additions before someone forces a cleanup, by which point the cleanup is a quarter-long project rather than a sprint.
The cumulative cost of a mobile SDK portfolio is rarely visible to the team that decides to add the next SDK. The cost is visible to the user, who pays it in cold-start time, battery, and privacy prompts, and to the engineer who diagnoses a launch regression six months later. The portfolio audit is the forum in which the cost becomes visible to the people who decide.
A Counter-Argument: When More Telemetry Is Worth It
To balance the de-instrumentation argument, the case for more telemetry is sometimes correct. The conditions under which adding an SDK is genuinely worth the cost can be specified.
The first condition is that the SDK produces telemetry that no other source produces. A crash reporter is irreplaceable: the data it captures (stack traces, device state at the moment of crash, symbolicated frames) cannot be reconstructed from server logs or first-party analytics. A privacy-compliant attribution SDK is similarly irreplaceable for the marketing function, because the alternative is no attribution. The "no alternative source" test is the most rigorous filter.
The second condition is that the telemetry is going to be acted on. An SDK whose data feeds a dashboard nobody opens is a cost without a return. An SDK whose data feeds a weekly review meeting that influences product decisions is paying its cost. The test is concrete: which specific meeting, attended by which specific people, on which specific cadence, uses the data this SDK produces. If no such meeting exists, the SDK is decorative.
The third condition is that the operator has the engineering capacity to integrate the SDK well. A badly-integrated SDK can produce telemetry that misleads the team rather than informs them: events fired at the wrong moment, user identifiers that drift across sessions, attribution that double-counts. The cost of a bad integration can exceed the cost of having no SDK at all, because the team makes decisions based on bad data that they trust. The test is whether the integration work is staffed and reviewed properly, not just shipped.
The fourth condition is privacy-and-regulatory headroom. A new SDK that adds a privacy permission prompt or expands the data-sharing surface should be added only when the operator has confirmed that the existing prompt-stack can absorb another prompt without reducing the opt-in rates for the prompts that already exist. The portfolio optimization is sometimes a constrained-resource problem: the user's attention to consent prompts is the constraint, and adding another prompt has an opportunity cost in reduced opt-in elsewhere.
A Twelve-Week Portfolio Audit and Remediation Plan
For an operator who has decided that the SDK portfolio needs a cleanup, the sequencing matters. The audit and remediation can be done in a quarter if scoped properly.
-
Week 1: inventory. Enumerate every SDK in the app, with version, binary size contribution (use Apple's App Thinning report or Android Studio's APK analyzer), pre-main contribution (use Xcode's Time Profiler or Android's Macrobenchmark), and privacy permission requirements. Document the owner team for each SDK.
-
Week 2: value mapping. For each SDK, document the specific decisions or operations it supports. Cite recent examples (the past quarter is a reasonable horizon). SDKs without specific recent examples are flagged for the candidacy review.
-
Week 3: candidacy review. Owners of flagged SDKs make the case for retention. The case has to cite specific upcoming uses, not "we might need it." The review concludes with a retain-or-remove decision for each candidate.
-
Weeks 4 to 8: removal migration. SDKs marked for removal are deprecated in stages: feature-flag the SDK off in a small percentage of traffic, monitor for regressions, expand the flag, eventually remove the SDK code in a future release.
-
Weeks 8 to 10: remaining-SDK optimization. SDKs retained get their integration audited: lazy initialization where possible, deferring SDK init until after first user-interactive frame, batching event sends, minimizing the runtime overhead.
-
Weeks 10 to 12: privacy-prompt audit. With the reduced SDK count, the prompt stack is re-audited. Some prompts may no longer be needed (the SDK that required them was removed). The remaining prompts are tested for opt-in rate optimization.
-
Ongoing: semi-annual review cadence. The audit is scheduled to recur, with a permanent rotation between teams to prevent the no-questions-asked accumulation pattern.
The 12-week timeline assumes the team has the engineering capacity to do the migration work. Operators with more constrained engineering capacity may take two quarters or longer; the audit itself (steps one through three) can be done in three to four weeks regardless, and the resulting plan can be prioritized against other engineering work without waiting.
What Apple and Google Are Measuring on Your Behalf
A piece of the cost picture that operators frequently miss is that the platform itself is measuring the costs and using them to rank, surface, and occasionally penalize the app. Apple's App Store rendering of the app's listing displays the download size prominently; an oversized app that exceeds the cellular threshold is shown with a "this app exceeds the size limit for cellular download" notice that suppresses the install at the moment of decision. Google's Play Console exposes Android Vitals, the dashboard that tracks the performance of every app on the platform against thresholds the platform sets for "bad behavior" (excessive battery drain, slow cold starts, frequent ANRs, excessive wake-ups). Apps that fall below the thresholds get their Play Store ranking reduced, the Play Store algorithmic warnings get shown to users, and in extreme cases the app can be flagged for review.
The platform measurements are a continuous performance budget that the SDK portfolio is implicitly working against. The operator who treats SDK overhead as a private engineering concern is missing the platform-distribution lever: a heavier app distributes worse, ranks lower, and is recommended less. The portfolio audit therefore has a marketing-and-distribution payback in addition to the direct user-experience payback.
The Android Vitals "core vitals" specification is worth reading in detail by any operator who runs a meaningful Android app. The specification documents the exact thresholds, the percentile aggregations (95th-percentile cold start, 1-percent ANR rate), and the consequences of falling below them. The thresholds get tighter over time as Google iterates: a cold-start time that was acceptable in 2020 is borderline in 2024 and may be unacceptable in 2026. The operator who has not re-benchmarked against the current Vitals thresholds is at risk of having moved from "fine" to "warned" without noticing.
Android Vitals Performance Thresholds (Current Specification) and What They Imply for the SDK Portfolio
| Vital | Bad Behavior Threshold | What Drives It Up | SDK-Portfolio Implication |
|---|---|---|---|
| Slow cold start | Greater than 5 seconds on the cold-start 95th percentile | Dynamic-framework count, pre-main work in SDKs, synchronous SDK initialization | Lazy-init the SDKs that do not need to run at launch |
| Slow warm start | Greater than 2 seconds on the warm-start 95th percentile | App resumption work, SDK session-restart cost | Audit SDK session-restart logic; minimize re-init on resume |
| Excessive battery use | Excessive wake-locks, partial wake-locks, background CPU | Polling SDKs, location-tracking SDKs, audio SDKs | Constrain background work to scheduled windows |
| User-perceived ANRs | Greater than 0.47 percent of sessions producing ANR | Synchronous SDK calls on the main thread | Defer SDK work off the main thread |
| Excessive wake-ups | Greater than 10 wake-ups per hour | Periodic-batch SDKs scheduling at short intervals | Coalesce wake-ups across SDKs via WorkManager |
The Apple equivalent is less centralized: there is no single "Vitals" dashboard, but the MetricKit framework (introduced at WWDC 2019) exposes the same class of measurements to the operator and to Apple's analytics. The data feeds into the Xcode Organizer's Power and Performance reports, which the operator can use to identify performance regressions. The platform is not directly penalizing the app the way Google does, but the App Store ranking algorithm does use crash rate and presumably other quality signals, and the operator who lets the metrics decay is paying for it in distribution.
Key Takeaways
-
Mobile apps tend to accumulate SDKs over time without a portfolio audit, and the cumulative cost (binary size, cold-start time, runtime overhead, privacy permission surface) compounds in ways that no individual SDK decision accounts for.
-
The cost of an SDK is measurable along four dimensions: binary size (with measurable conversion impact above the cellular-download threshold), cold-start contribution (a fraction of pre-main initialization scales linearly with framework count), runtime CPU and battery, and the privacy permission surface (which interacts with prompt fatigue across the consent stack).
-
The telemetry value of an SDK is right-skewed: crash reporters and primary analytics produce most of the value, while duplicate analytics, unused attribution, and ad mediation without ad revenue produce marginal value at the same cost.
-
The 2021 iOS App Tracking Transparency change reshaped the cost structure of attribution and advertising SDKs. The opt-in rate varies widely by app category and prompt framing, and the SDK that was high-value in 2020 may be low-value in 2026 if the opt-in rate has collapsed for that population.
-
The bloat pattern is structural, not accidental. Asymmetric ownership (the team that installs an SDK is not the team that pays the performance cost), vendor lock-in inertia, single-incident retention bias, and status-signaling installations all push the portfolio toward over-instrumentation.
-
The single most common audit finding is two analytics SDKs running in parallel. The team that installed Firebase first and Amplitude or Mixpanel second has rarely removed either, and is paying double for capability used once.
-
The privacy permission surface is a first-order cost, not a footnote. Each SDK that requires a consent prompt contributes to prompt fatigue, which reduces opt-in rates across all prompts. Reducing SDK count can increase the value extracted from the remaining SDKs.
-
The portfolio audit is recurring. New SDKs get added every year; without a regular audit to balance the additions with removals, the portfolio grows monotonically. A semi-annual review cadence keeps the portfolio in approximate equilibrium.
-
The conditions under which adding an SDK is worth the cost can be specified: the SDK produces telemetry no other source produces, the telemetry will be acted on (in a specific meeting with specific people on a specific cadence), the integration capacity exists, and the privacy-prompt stack has headroom.
-
The 12-week portfolio audit and remediation plan (inventory, value mapping, candidacy review, removal migration, remaining-SDK optimization, privacy-prompt audit, ongoing review cadence) is the minimum responsible discipline. The work is non-trivial but the savings (binary size, cold-start time, privacy posture) are concrete and the audit pays for itself in most engagements within a single release cycle.
Concepts defined
Read Next
- Business Analytics
Data Warehouse to BI Layer Arbitration Patterns: Where the Semantic Layer Should Live
An analysis of the architectural debate between BI-tool-as-semantic-layer, warehouse-as-semantic-layer, and headless BI, with the knock-on effects on metric consistency, query cost, and analyst velocity.
- Business Analytics
Anomaly Detection on Analytics Dashboards: When the Alert Fires
A 4% revenue drop on a Tuesday could be a payment outage, a pricing bug, or normal variance. The difference between sound monitoring and alert theatre is not the model. It is the loop the alert sits inside.
- Business Analytics
North-Star Metric Construction and Revision Discipline
Constructing a north-star metric that informs decisions, the triggers that require revision, and the political economy of changing a metric the organization has built itself around. Goodhart, Campbell, surrogation.
The Conversation
Be the first to weigh in
Join the conversation
Disagree, share a counter-example from your own work, or point at research that changes the picture. Comments are moderated, no account required.