Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Trusting SDKs

4ab0af72c2e38ff2315851a2a0d82bb4?s=47 Felix Krause
September 05, 2018

Trusting SDKs

Using third party SDKs significantly speeds up your development process. Felix talks about the risks of depending on external code, and how an attacker can easily inject malicious code in software you bundle within your app.

4ab0af72c2e38ff2315851a2a0d82bb4?s=128

Felix Krause

September 05, 2018
Tweet

More Decks by Felix Krause

Other Decks in Programming

Transcript

  1. Trusting SDKs @KrauseFx Felix Krause <felix@krausefx.com>

  2. 31% of the top SDKs affected

  3. Worst case?

  4. Web Security 101

  5. HTTP HTTPS

  6. None
  7. Obligatory OSI layer diagram

  8. None
  9. None
  10. CocoaPods

  11. None
  12. https://s3.aws.com/localytics-sdks/sdk.zip https://s3.aws.com/localytics-binaries/sdk.zip

  13. None
  14. None
  15. None
  16. None
  17. None
  18. None
  19. None
  20. None
  21. None
  22. None
  23. None
  24. 32% 68% Not vulnerable to simple network attacks Vulnerable

  25. 1 resolved within 3 days 5 resolved within 1 month

    5 unresolved to this day 2 resolved within 6 months SDK providers’ reaction time
  26. Open Source vs Closed Source

  27. github.com/trusting-sdks/https

  28. @KrauseFx