Performing Due Diligence as Android Engineers
Authored by: Ishan Khanna, Senior Software Engineer, Android
I recently gave a talk on performing due diligence as an Android Engineer. Having worked on multiple projects that involved integration with 3rd party vendor SDKs, I gathered my learnings and came up with a framework. In this post, I will talk about the five categories of due diligence, and how to take a proactive approach.
What is Due Diligence?
In legal terms, due diligence, with respect to 3rd party SDKs, is the investigation or exercise of care that a reasonable business or developer is expected to take before entering into any agreement or contract with another party with a certain standard of care. I like to describe it as an insurance policy for a 3rd party integration I am about to make. In doing so, it protects you, your company, and your customers from potential risks.
Why is it important?
Performing due diligence has many implications that can impact your business and customers. While it may not be the most fun endeavor, it does help prevent harm to app performance, developer satisfaction, and ultimately your business. For example:
- If a vendor has a data breach and they had access to your IP or customers’ financial information
- If a vendor does not support the languages within your app
- If a vendor does not have proper documentation and you’re on the hook legally for a mistake they made
- If a vendor library impedes the performance of your app
These are only a few instances of why performing due diligence is vital to the success of your application. It may sound a bit overwhelming, but it doesn’t have to be. Here’s a high-level overview of the five categories you should perform due diligence for an SDK.
Vetting for security seems like a no-brainer, but you’d be surprised how often this can go unchecked. Going into a vendor partnership requires a degree of accessibility from the vendor into your application. Key elements to track:
- Data Collection
- Data Storage
- Data Communication
- Data Encryption
- PII Collection, Storage & Communication
Verifying a vendor’s security is arguably one of the most important factors because it’s tied to different aspects of your business and not just your application. To perform due diligence, check to see what security measures they employ. Ask if they are SOC 2 compliant or PCI compliant. Run them through your organization’s security tests. Performing a rigorous security check saves you from the massive headache of a data breach down the road. Lastly, partner with legal in this search. At Tinder, we work with our legal team to ensure compliance with each vendor partnership. Our cross-functional partnership bolsters Tinder’s security from a technology and business perspective.
When seeking out a vendor, having documentation that clearly spells out the terms of service is critical. Consider the following when entering an agreement with a vendor :
- Licensing Structure
- Installation & Usage
- Level of Detail
- Frequency of Updates
Think about licensing structure, installations and usage, and how frequently the vendor updates their documentation. Ask about potential caveats, such as needing camera access in order to use the library. See if they have supporting documents in the form of a blog or white paper, and the like as they are helpful for troubleshooting purposes. And, be sure to ask if they regularly update their documentation.
An SDK is only as good as how it adapts to your app environment. Key elements to keep in mind are:
- UI Configurability
- UX Configurability
- Dark Mode Compatibility
Customization is key, especially If your app operates in multiple languages. From a visual perspective, understanding accessibility and UX & UI configurability have to be taken into account as well. Don’t forget about dark mode compatibility. If an SDK offers this, how will it affect the look and feel of your app? This is important because customization impacts how your customers interact with your app.
At the integration stage, you’re most likely under the hood and are evaluating the code. Be on the lookout for:
- Consumption & Delivery
- min-SDK Requirements
- Error Handling & Logging
- Proguard Configuration
Check to see if you have access to the historical versions of the SDK and learn about potential dependencies. For example, if you upgrade the library, find out if it will impact other parts of the app. Certain libraries may require you to bump up the min SDK version your project builds against. Get a clear picture of permissions, as the number of permissions can impact user behavior.
Last but not least, understanding the performance of an SDK correlates with the successful integration with your app. Keep these in mind:
- APK / Bundle Size
- Startup Time
- Memory & Disk Usage
- User Interface
Learn how it can impact your build time. Ask about analytics and cache. Find out what they use for networking and secure messaging. Understand how battery life may be impacted. From a UI perspective, check to see if the performance is sluggish or buggy, as these factors can change the experience of the user.
Performing due diligence on 3rd party SDKs is a thorough yet necessary venture. It provides you with a proactive understanding of how an SDK can fit into your application and its performance. More importantly, it safeguards you from potential legal, security, and financial problems down the road. Keep these five categories in mind when you begin engaging with a vendor, and they will serve you well.
Stay tuned for a more in-depth checklist!
Interested in learning more about due diligence? Listen to my talk.