Monday, February 19, 2018

Trusting SDKs

Felix Krause (tweet):

Third-party SDKs can often easily be modified while you download them! Using a simple person-in-the-middle attack, anyone in the same network can insert malicious code into the library, and with that into your application, as a result running in your user’s pockets.

31% of the most popular closed-source iOS SDKs are vulnerable to this attack, as well as a total of 623 libraries on CocoaPods.

[…]

The previous example injected malicious code into the iOS app using a hijacked SDK. Another attack vector is the developer’s Mac. Once an attacker can run code on your machine, and maybe even has remote SSH access, the damage could be significant[…]

See also: How to Protect Your App From Hijacking.

Update (2019-08-21): Felix Krause:

And now it happened, one of the most popular Ruby gems ‘rest-client’ got hijacked due to lack of 2FA.

Affected servers now

- Leak all ENV variables and API keys
- Allow the attacker to run any code on your server
- Steal all entered user credentials

1 Comment RSS · Twitter

Leave a Comment