Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Trusting SDKs

Felix Krause
September 05, 2018
Programming
1
830

Trusting SDKs

Using third party SDKs significantly speeds up your development process. Felix talks about the risks of depending on external code, and how an attacker can easily inject malicious code in software you bundle within your app.

Felix Krause

September 05, 2018
Tweet

More Decks by Felix Krause

See All by Felix Krause
2017-10 Pragma: Getting started contributing to open source projects
krausefx
1
90
How to get get started contributing to open source
krausefx
3
660
Scaling Open Source Communities trySwift Tokyo
krausefx
2
1.1k
Scaling Open Source Communitites
krausefx
0
67
MCEConf Warsaw
krausefx
2
420
NSMeetup San Francisco
krausefx
1
150
fastlane - Felix Krause - Swift Language User Group
krausefx
1
24k
fastlane - Continuous Delivery for iOS Apps
krausefx
1
380
fastlane - Continuous Delivery for iOS Apps
krausefx
0
120

Other Decks in Programming

See All in Programming
macOS でできる リアルタイム動画像処理
biacco42
6
1.7k
Snowflake x dbtで作るセキュアでアジャイルなデータ基盤
tsoshiro
2
430
弊社の「意識チョット低いアーキテクチャ」10選
texmeijin
5
23k
カスタムしながら理解するGraphQL Connection
yanagii
1
1.2k
Nuxtベースの「WXT」でChrome拡張を作成する | Vue Fes 2024 ランチセッション
moshi1121
1
500
CPython 인터프리터 구조 파헤치기 - PyCon Korea 24
kennethanceyer
0
240
讓數據說話:用 Python、Prometheus 和 Grafana 講故事
eddie
0
350
cXML という電子商取引の トランザクションを支える プロトコルと向きあっている話
phigasui
3
2.2k
Modern Angular: Renovation for Your Applications
manfredsteyer
PRO
0
200
Outline View in SwiftUI
1024jp
1
110
hotwire_or_react
harunatsujita
8
4k
AWS IaCの注目アップデート 2024年10月版
konokenj
3
3.1k

Featured

See All Featured
GraphQLの誤解/rethinking-graphql
sonatard
66
9.9k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
27
1.9k
Embracing the Ebb and Flow
colly
84
4.4k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
Building Better People: How to give real-time feedback that sticks.
wjessup
363
19k
Six Lessons from altMBA
skipperchong
26
3.5k
Fashionably flexible responsive web design (full day workshop)
malarkey
404
65k
Designing on Purpose - Digital PM Summit 2013
jponch
115
6.9k
Side Projects
sachag
452
42k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
504
140k

Transcript

  1. Trusting SDKs @KrauseFx Felix Krause <[email protected]>

  3. 31% of the top SDKs affected

  4. Worst case?

  5. Web Security 101

  6. HTTP HTTPS

  7. None

  8. Obligatory OSI layer diagram

  9. None
  10. None

  11. CocoaPods

  12. None

  13. https://s3.aws.com/localytics-sdks/sdk.zip https://s3.aws.com/localytics-binaries/sdk.zip

  14. None
  15. None
  16. None
  17. None
  18. None
  19. None
  20. None
  21. None
  22. None
  23. None
  24. None

  25. 32% 68% Not vulnerable to simple network attacks Vulnerable

  26. 1 resolved within 3 days 5 resolved within 1 month

    5 unresolved to this day 2 resolved within 6 months SDK providers’ reaction time

  27. Open Source vs Closed Source

  28. github.com/trusting-sdks/https

  29. @KrauseFx