Ideally, there should be zero. Crash reporting I don’t mind, but the app doesn’t need multiple analytics libraries, and Facebook has proven it can’t be trusted not to misuse data, even if the login or sharing functionality is on the surface unobjectionable. How may of these can be cut out?
The app needs those libraries in order to allow login with Facebook or Google and to allow functions like share on Facebook. If you don’t use such a login or don’t share on Facebook - those libraries will not be used and no information will be shared.
There’s only Google Analytics but seems it’s bundled in two different libraries. And I think you can opt out of analytics on Android (can’t check right now, I don’t have an Android).
There are not seven trackers in the iNaturalist Android app. The tool you used has a number patterns it searches for in the compiled code of a particular app, and it found matches for seven of those patterns in our code. That doesn’t mean that code actually runs (from their own docs, “Finding a tracker signature into an application does not prove that the tracker is effectively used by the application”), and in the case of third party code, it doesn’t always mean that we as the app developers have any control over what’s in there. I’m pretty sure that’s what’s happening with the Facebook detections here: we use the Facebook SDK to support signing into iNat with Facebook. I would love to remove that, but there are many iNat users who depend on that form of authentication, so taking it away from them will be a drawn-out process, one that I’m not yet convinced that we should do given how much harder that makes it to sign up.
We do still use Google Firebase for crash reporting. I spent some time a year or two ago researching different options we could host ourselves, but there aren’t many, and even the ones that are free and/or open source would still cost us time and money to set up and maintain, so we decided to continue using Google Firebase.
Finally, the best way to detect third party tracking is by analyzing the network traffic coming out of a piece of software. If anyone can provided evidence of suspicious network traffic from the iNaturalist Android app, let me know, preferrably along with some instructions I can follow to verify the claim. I tried to do this using an emulator when we were building the analytics opt-out, but I’ve never figured out a good way to do this on an actual phone (probably for good reason, since that would require some other piece of software intercepting the iNat app’s network traffic, which would be its own kind of privacy concern).
I just realized I didn’t answer the question in the title: iNaturalist shares data with third parties to
Find and solve problems in the software we create (e.g. Google Firebase)
Understand how people use the software we create (e.g. Google Analytics)
Provide services to iNat users that are too difficult (maps), too costly (maps), or impossible (Facebook & Google sign in) to provide ourselves
We do what we can to anonymize the data we share with these services, and as I mentioned we provide an opt-out for the analytics services. We’ve talked about using other mapping services or hosting our own map tiles, and we might provide that as an option some day, but I can almost guarantee we couldn’t provide the same level of service that we can via Google, particularly for satellite imagery.