Trusting SDKs
Third-party SDKs can often easily be modified while you download them! Using a simple person-in-the-middle attack, anyone in the same network can insert malicious code into the library, and with that into your application, as a result running in your user’s pockets.
31% of the most popular closed-source iOS SDKs are vulnerable to this attack, as well as a total of 623 libraries on CocoaPods.
[…]
The previous example injected malicious code into the iOS app using a hijacked SDK. Another attack vector is the developer’s Mac. Once an attacker can run code on your machine, and maybe even has remote SSH access, the damage could be significant[…]
See also: How to Protect Your App From Hijacking.
Update (2019-08-21): Felix Krause:
And now it happened, one of the most popular Ruby gems ‘rest-client’ got hijacked due to lack of 2FA.
Affected servers now
- Leak all ENV variables and API keys
- Allow the attacker to run any code on your server
- Steal all entered user credentials
