SDKs vs APIs - which is safer to implement related to data protection and how can I implement an SDK in the 'safest' way possible?

Question

If I want to use a third party SDK or API in my iOS Application - and I want to avoid giving the companies that distribute and offer these SDKs & APIs 'too' much data, if you will, what is the best way to approach integrating their technology - an SDK or API?

When I call an API - what kind of information is that giving them versus using their SDK? To me, it seems SDKs collect far much more data than APIs.

I am deciding whether I want to implement the Giphy iOS SDK into my iOS Application - but I discovered Meta (Facebook) owns this company now and tried to hide their acquisition from the U.S. Government - which makes me not trust Facebook (and now Giphy) far more than I already didn't trust them... I understand Apple uses Giphy via iMessage on iOS / iPad OS but they do it via Bing Search.

My overarching question is - should I use a company's API or SDK if I want to relinquish as little data as possible and how could I do the same using both, for example - How could I implement an SDK in the most safest/secure way possible to where my iOS app indirectly utilizes the SDK -- such as by embedding the static library into an Xcode Project (Framework) then importing said framework into the actual App -- would this make it most secure if I want to use an SDK over an API in order to get X functionality?

Answer 1

An SDK (aka Software Development Kit) is usually just a set of libraries or frameworks and accompanying tools, documentation and possibly also services.

An API (Application Programming Interface) is the public part of the interface of a library or framework. It's more like a specification and a contract, but strictly does not contain the behaviour.

So, in oder to answer your question in a non serious way, I would suggest you to use the API; because it does nothing :)

But, the reality is, it does not matter whether you use an SDK (a set for libraries) or a single framework or library. What matters more is, if you have access to the source code and whether you can trust the vendor. And, when you have the source code, whether it is comprehensible by glancing over the code and if you are able to quickly confirm that they don't do harm to you or your users.

Unfortunately, there ARE libraries - especially from vendors from the data collecting association, which do this business for a living, which come with the source, but that source is that large, that even after hours examining the code in an incomprehensible ancient language (Objective-C), you may have still no clue what the heck are they sending in this network request, and what this ominous looking URL is for.

Also, consider that, if you integrate a third party library, the code has the same entitlements as specified in your app.

So, I would recommend to avoid to use overly large and complex libraries, even if they come with source, and if you don't trust them.