I have read for the course of this week a lot of articles and post about this and I could not recall exactly where did I saw that for the first time but here but this is one place:
Therefore even if the app publisher has done all the steps required for its app to be GDPR compliant, what about the SDKs? It is a blind spot which app publishers must give extra attention in their GDPR efforts.
Special care should be taken to prevent the app from communicating personal data to a third party in a way that could expose the app to data breaches. If SDKs have been implemented within the mobile app and the SDKs try to access identifying data, the responsibility for the data collection and usage is still the app publisher’s. Validating the compliance of every aspect that goes into the app becomes critical under the GDPR.
That makes sense because it prevents the web/app publisher say something like for example: “I am not in control of the Android SDK”. But the person or firma that offers the service is responsible of how this info comes to the end user.