Link
Embed
Share
Beginning
This slide
Copy link URL
Copy link URL
Copy iframe embed code
Copy iframe embed code
Copy javascript embed code
Copy javascript embed code
Share
Tweet
Share
Tweet
Slide 1
Slide 1 text
Trusting SDKs @KrauseFx Felix Krause
Slide 2
Slide 2 text
☺
Slide 3
Slide 3 text
31% of the top SDKs affected
Slide 4
Slide 4 text
Worst case?
Slide 5
Slide 5 text
Web Security 101
Slide 6
Slide 6 text
HTTP HTTPS
Slide 7
Slide 7 text
No content
Slide 8
Slide 8 text
Obligatory OSI layer diagram
Slide 9
Slide 9 text
No content
Slide 10
Slide 10 text
No content
Slide 11
Slide 11 text
CocoaPods
Slide 12
Slide 12 text
No content
Slide 13
Slide 13 text
https://s3.aws.com/localytics-sdks/sdk.zip https://s3.aws.com/localytics-binaries/sdk.zip
Slide 14
Slide 14 text
No content
Slide 15
Slide 15 text
No content
Slide 16
Slide 16 text
No content
Slide 17
Slide 17 text
No content
Slide 18
Slide 18 text
No content
Slide 19
Slide 19 text
No content
Slide 20
Slide 20 text
No content
Slide 21
Slide 21 text
No content
Slide 22
Slide 22 text
No content
Slide 23
Slide 23 text
No content
Slide 24
Slide 24 text
No content
Slide 25
Slide 25 text
32% 68% Not vulnerable to simple network attacks Vulnerable
Slide 26
Slide 26 text
1 resolved within 3 days 5 resolved within 1 month 5 unresolved to this day 2 resolved within 6 months SDK providers’ reaction time
Slide 27
Slide 27 text
Open Source vs Closed Source
Slide 28
Slide 28 text
github.com/trusting-sdks/https
Slide 29
Slide 29 text
@KrauseFx