Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Trusting SDKs

Felix Krause
September 05, 2018
Programming
1
770

Trusting SDKs

Using third party SDKs significantly speeds up your development process. Felix talks about the risks of depending on external code, and how an attacker can easily inject malicious code in software you bundle within your app.

Felix Krause

September 05, 2018
Tweet

More Decks by Felix Krause

See All by Felix Krause
2017-10 Pragma: Getting started contributing to open source projects
krausefx
1
84
How to get get started contributing to open source
krausefx
3
650
Scaling Open Source Communities trySwift Tokyo
krausefx
2
1k
Scaling Open Source Communitites
krausefx
0
61
MCEConf Warsaw
krausefx
2
410
NSMeetup San Francisco
krausefx
1
140
fastlane - Felix Krause - Swift Language User Group
krausefx
1
24k
fastlane - Continuous Delivery for iOS Apps
krausefx
1
360
fastlane - Continuous Delivery for iOS Apps
krausefx
0
120

Other Decks in Programming

See All in Programming
OpenAPI を守るのは難しい
ohmori_yusuke
2
770
Site Reliability Engineering for GMO
pyama86
6
780
try!Swift Tokyo 2024 参加報告 LT
akidon0000
1
190
チームでモデリングを育てるうえで 考えたこと・気づいたこと / Cultivating Modeling in Teams: Thoughts and Insights
mackey0225
7
4.1k
PHPの次期バージョンはこの時期どうなっているのか - Internalsの開発体制について - PHPカンファレンス小田原
youkidearitai
PRO
1
180
Git Lint
bkuhlmann
4
740
Doctrine ORMでValue Objectを扱う方法4選 #phpstudy / 4 ways to handle Value Objects with Doctrine ORM
77web
4
110
try! Swift Tokyo 初参加報告LT
hinakko2
0
190
エンターテイメント業界で利用されるAWS
demuyan
0
200
0→1と1→10の狭間で Javaという技術選定を振り返る/Reflecting on the Decision to Choose Java Between Scaling from 0 to 1 and 1 to 10
jaguar_imo
2
360
Prepare for Jakarta EE 11 - Performance and Developer Productivity
ivargrimstad
0
390
"config" ってなんだ? / What is "config"?
okashoi
0
210

Featured

See All Featured
The Invisible Customer
myddelton
114
12k
The Straight Up "How To Draw Better" Workshop
denniskardys
227
130k
Why Our Code Smells
bkeepers
PRO
331
56k
VelocityConf: Rendering Performance Case Studies
addyosmani
319
23k
Stop Working from a Prison Cell
hatefulcrawdad
265
19k
Fashionably flexible responsive web design (full day workshop)
malarkey
397
65k
Designing on Purpose - Digital PM Summit 2013
jponch
110
6.4k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
124
32k
Ruby is Unlike a Banana
tanoku
95
10k
Pencils Down: Stop Designing & Start Developing
hursman
116
11k
4 Signs Your Business is Dying
shpigford
175
21k
The Language of Interfaces
destraynor
151
23k

Transcript

  1. Trusting SDKs @KrauseFx Felix Krause <[email protected]>

  3. 31% of the top SDKs affected

  4. Worst case?

  5. Web Security 101

  6. HTTP HTTPS

  7. None

  8. Obligatory OSI layer diagram

  9. None
  10. None

  11. CocoaPods

  12. None

  13. https://s3.aws.com/localytics-sdks/sdk.zip https://s3.aws.com/localytics-binaries/sdk.zip

  14. None
  15. None
  16. None
  17. None
  18. None
  19. None
  20. None
  21. None
  22. None
  23. None
  24. None

  25. 32% 68% Not vulnerable to simple network attacks Vulnerable

  26. 1 resolved within 3 days 5 resolved within 1 month

    5 unresolved to this day 2 resolved within 6 months SDK providers’ reaction time

  27. Open Source vs Closed Source

  28. github.com/trusting-sdks/https

  29. @KrauseFx