Monday, February 19, 2018 [Tweets] [Favorites]

Trusting SDKs

Felix Krause (tweet):

Third-party SDKs can often easily be modified while you download them! Using a simple person-in-the-middle attack, anyone in the same network can insert malicious code into the library, and with that into your application, as a result running in your user’s pockets.

31% of the most popular closed-source iOS SDKs are vulnerable to this attack, as well as a total of 623 libraries on CocoaPods.

[…]

The previous example injected malicious code into the iOS app using a hijacked SDK. Another attack vector is the developer’s Mac. Once an attacker can run code on your machine, and maybe even has remote SSH access, the damage could be significant[…]

See also: How to Protect Your App From Hijacking.

1 Comment

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment