If you’re a mobile app developer, you might choose to integrate SDKs to add any number of features to your products, from ads to analytics to social and more. But SDKs aren’t really your code, and using them usually means sacrificing some degree of control over your app, as Orly Shoavi of SafeDK pointed out during a Casual Connect Tel Aviv lecture. SDKs can introduce new security vulnerabilities, or they can collect data on your users, and you could be liable for that if something goes wrong. “With so many SDKs out there, you really need to know how to protect your users,” Orly said. For a walkthrough of how SafeDK aims to give developers greater info about and control over the SDKs they use, see her full session below.
SDKs Behaving Badly
Orly Shoavi was working with a global-location-based services company when she experienced firsthand the frustrations of problematic SDKs in apps. In those days, she’d search for an SDK on Google and only found its official website. What she couldn’t find anywhere were unbiased reviews, tips or stories from others who’d used the SDK.
Once they implemented the SDKs, problems cropped up in the app and there was no way to immediately tell which third-party code was causing them. “We were very exposed, vulnerable and without control,” Orly says.
Recent Exploits
Orly is far from alone in facing bugs, vulnerabilities and other undesired behavior as a result of SDKs. Several incidents have been reported in recent weeks alone — from sheer vulnerabilities to downright malicious behavior. Both Android and iOS developers suffered immensely, and the number of apps at risk skyrocketed to nearly 20,000.
Baidu’s MoPlus SDK had a bug that allowed hackers to take over users’ devices and read any personal information they wish; Toamike read users’ personal SMS text messages; mobiSage recorded users maliciously; and Youmi gradually tested to see how much malicious code they could get past Apple’s App Review, ending up with extended capability to steal personal information.
As Orly points out, games for younger audiences in particular carry their own risks when dealing with SDKs. “You need to make sure your apps and SDKs comply to the COPPA regulations so you won’t get banned from the stores, as happened with BabyBus and 250 more iOS apps.”
Taking Back Control
Troubled by the risks of working with such potentially useful SDKs, Orly and Ronnie Sternberg co-founded SafeDK in 2014, a tool meant to provide a holistic solution to remove the risk of working with third-party tools, from finding the right ones to use to in-app protection.
“I saw a real pain in the industry – the lack of transparency and trust in the SDK economy, and couldn’t believe there was no one solid solution for it,” Orly says. “Since I love challenges, especially technological ones, I couldn’t resist starting SafeDK.”
Among SafeDK’s features is real-time control of SDKs, letting devs switch off entire SDKs at the first sign of unwanted behavior and without needing a version update. “It’ll be as if the SDK is no longer part of the app,” Orly says.
Developers using SafeDK can also restrict an SDK’s access to specific permissions in real-time. So with mobiSage, for example, devs could block its access to the microphone without blocking the entire SDK.
“By integrating with SafeDK, you have a failsafe switch, a raincoat for a rainy day,” Orly says. “So when a vulnerability is discovered, when you’re unhappy with an SDK, or when news of malicious activity make it to your desk, you can simply turn it off and stay safe.”
SafeDK’s marketplace currently includes around 550 SDKs, including Facebook, AdMob, MoPub StartApp and others, and Orly says she’s excited to expand.
Comments
