Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Trusting SDKs

Felix Krause
September 05, 2018
Programming
1
840

Trusting SDKs

Using third party SDKs significantly speeds up your development process. Felix talks about the risks of depending on external code, and how an attacker can easily inject malicious code in software you bundle within your app.

Felix Krause

September 05, 2018
Tweet

More Decks by Felix Krause

See All by Felix Krause
2017-10 Pragma: Getting started contributing to open source projects
krausefx
1
90
How to get get started contributing to open source
krausefx
3
660
Scaling Open Source Communities trySwift Tokyo
krausefx
2
1.1k
Scaling Open Source Communitites
krausefx
0
67
MCEConf Warsaw
krausefx
2
420
NSMeetup San Francisco
krausefx
1
150
fastlane - Felix Krause - Swift Language User Group
krausefx
1
24k
fastlane - Continuous Delivery for iOS Apps
krausefx
1
380
fastlane - Continuous Delivery for iOS Apps
krausefx
0
120

Other Decks in Programming

See All in Programming
Ethereum_.pdf
nekomatu
0
460
Jakarta EE meets AI
ivargrimstad
0
160
3 Effective Rules for Using Signals in Angular
manfredsteyer
PRO
0
110
シールドクラスをはじめよう / Getting Started with Sealed Classes
mackey0225
4
640
subpath importsで始めるモック生活
10tera
0
300
初めてDefinitelyTypedにPRを出した話
syumai
0
410
2024/11/8 関西Kaggler会 2024 #3 / Kaggle Kernel で Gemma 2 × vLLM を動かす。
kohecchi
5
920
リアーキテクチャxDDD 1年間の取り組みと進化
hsawaji
1
220
3rd party scriptでもReactを使いたい! Preact + Reactのハイブリッド開発
righttouch
PRO
1
600
Tauriでネイティブアプリを作りたい
tsucchinoko
0
370
レガシーシステムにどう立ち向かうか 複雑さと理想と現実/vs-legacy
suzukihoge
14
2.2k
Remix on Hono on Cloudflare Workers
yusukebe
1
290

Featured

See All Featured
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
191
16k
Git: the NoSQL Database
bkeepers
PRO
427
64k
Rails Girls Zürich Keynote
gr2m
94
13k
Docker and Python
trallard
40
3.1k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
33
1.9k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
27
4.3k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.1k
Ruby is Unlike a Banana
tanoku
97
11k
Speed Design
sergeychernyshev
25
620
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
25
1.8k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
131
33k
Scaling GitHub
holman
458
140k

Transcript

  1. Trusting SDKs @KrauseFx Felix Krause <[email protected]>

  3. 31% of the top SDKs affected

  4. Worst case?

  5. Web Security 101

  6. HTTP HTTPS

  7. None

  8. Obligatory OSI layer diagram

  9. None
  10. None

  11. CocoaPods

  12. None

  13. https://s3.aws.com/localytics-sdks/sdk.zip https://s3.aws.com/localytics-binaries/sdk.zip

  14. None
  15. None
  16. None
  17. None
  18. None
  19. None
  20. None
  21. None
  22. None
  23. None
  24. None

  25. 32% 68% Not vulnerable to simple network attacks Vulnerable

  26. 1 resolved within 3 days 5 resolved within 1 month

    5 unresolved to this day 2 resolved within 6 months SDK providers’ reaction time

  27. Open Source vs Closed Source

  28. github.com/trusting-sdks/https

  29. @KrauseFx