Slide 1

Slide 1 text

Trusting SDKs @KrauseFx Felix Krause

Slide 2

Slide 2 text

Slide 3

Slide 3 text

31% of the top SDKs affected

Slide 4

Slide 4 text

Worst case?

Slide 5

Slide 5 text

Web Security 101

Slide 6

Slide 6 text

HTTP HTTPS

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

Obligatory OSI layer diagram

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

CocoaPods

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

https://s3.aws.com/localytics-sdks/sdk.zip https://s3.aws.com/localytics-binaries/sdk.zip

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

No content

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

No content

Slide 20

Slide 20 text

No content

Slide 21

Slide 21 text

No content

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

No content

Slide 24

Slide 24 text

No content

Slide 25

Slide 25 text

32% 68% Not vulnerable to simple network attacks Vulnerable

Slide 26

Slide 26 text

1 resolved within 3 days 5 resolved within 1 month 5 unresolved to this day 2 resolved within 6 months SDK providers’ reaction time

Slide 27

Slide 27 text

Open Source vs Closed Source

Slide 28

Slide 28 text

github.com/trusting-sdks/https

Slide 29

Slide 29 text

@KrauseFx