{"id":20610,"date":"2018-02-19T13:30:12","date_gmt":"2018-02-19T18:30:12","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=20610"},"modified":"2019-08-21T15:47:32","modified_gmt":"2019-08-21T19:47:32","slug":"trusting-sdks","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2018\/02\/19\/trusting-sdks\/","title":{"rendered":"Trusting SDKs"},"content":{"rendered":"<p><a href=\"https:\/\/krausefx.com\/blog\/trusting-sdks\">Felix Krause<\/a> (<a href=\"https:\/\/twitter.com\/KrauseFx\/status\/964169059204870144\">tweet<\/a>):<\/p>\n<blockquote cite=\"https:\/\/krausefx.com\/blog\/trusting-sdks\"><p>Third-party SDKs can often easily be modified while you download them! Using a simple person-in-the-middle attack, anyone in the same network can insert malicious code into the library, and with that into your application, as a result running in your user&rsquo;s pockets.<\/p>\n<p>31% of the most popular closed-source iOS SDKs are vulnerable to this attack, as well as a total of 623 libraries on CocoaPods.<\/p>\n<p>[&#8230;]<\/p>\n<p>The previous example injected malicious code into the iOS app using a hijacked SDK. Another attack vector is the developer&rsquo;s Mac. Once an attacker can run code on your machine, and maybe even has remote SSH access, the damage could be significant[&#8230;]<\/p><\/blockquote>\n\n<p>See also: <a href=\"http:\/\/applehelpwriter.com\/2018\/02\/17\/how-to-protect-your-app-from-hijacking\/\">How to Protect Your App From Hijacking<\/a>.<\/p>\n\n<p id=\"trusting-sdks-update-2019-08-21\">Update (2019-08-21): <a href=\"https:\/\/twitter.com\/KrauseFx\/status\/1163915500231024640\">Felix Krause<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/KrauseFx\/status\/1163915500231024640\"><p>And now it happened, one of the most popular Ruby gems &lsquo;rest-client&rsquo; got hijacked due to lack of 2FA.<\/p>\n<p>Affected servers now<\/p>\n<p>- Leak all ENV variables and API keys<br \/>\n- Allow the attacker to run any code on your server<br \/>\n- Steal all entered user credentials<\/p><\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Felix Krause (tweet): Third-party SDKs can often easily be modified while you download them! Using a simple person-in-the-middle attack, anyone in the same network can insert malicious code into the library, and with that into your application, as a result running in your user&rsquo;s pockets. 31% of the most popular closed-source iOS SDKs are vulnerable [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2019-08-21T19:47:36Z","apple_news_api_id":"9f6a2605-43f4-4ba5-9a02-b54032cea389","apple_news_api_modified_at":"2019-08-21T19:47:38Z","apple_news_api_revision":"AAAAAAAAAAD\/\/\/\/\/\/\/\/\/\/w==","apple_news_api_share_url":"https:\/\/apple.news\/An2omBUP0S6WaArVAMs6jiQ","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[],"tags":[1632,1307,31,1472,991,71,48],"class_list":["post-20610","post","type-post","status-publish","format-standard","hentry","tag-buddybuild","tag-cocoapods","tag-ios","tag-ios-11","tag-open-source-software","tag-programming","tag-security"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/20610","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=20610"}],"version-history":[{"count":2,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/20610\/revisions"}],"predecessor-version":[{"id":26347,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/20610\/revisions\/26347"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=20610"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=20610"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=20610"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}