mobile sdks: use with caution - ori lentzitzky
TRANSCRIPT
safedk.com
AVERAGE OF
SDKS IN APPS
safedk.com
WinIt58 SDKs
Wishbone60 SDKs
Destiny57 SDKs
safedk.com
safedk.com
POPULAR SDKs CATEGORIES
safedk.com
FIREBASE & CRASH REPORTING
CHECK OUT YOUR APP OR SIMILAR APPS
safedk.com
safedk.com
That’s all fine and dandy...
So what’s the problem?
IT IS SOMEONE ELSE’S CODE INSIDE YOURS
YET YOU ARE RESPONSIBLE FOR IT…
WHY IS IT A PROBLEM?
safedk.com
WHY ARE SDKS RISKY ?
SECURITY & PRIVACY
safedk.com
if (context.checkCallingOrSelfPermission("android.permission.ACCESS_FINE_LOCATION")) {
Location userLocation = locationManager.getLastKnownLocation("gps");
}
if (hasEmailPermission()) {Pattern emailPattern = Patterns.EMAIL_ADDRESS;Account[] accounts =
AccountManager.get(this.mContext).getAccounts();…
}
THE DARK SIDE OF SDK PERMISSIONS
safedk.com
SDKs & PERMISSIONS: WHAT THEY DON’T TELL YOU
safedk.com
60.94%
15.31%13.30%
10.87%
5.01% 4.01% 3.58% 3.29%0.72%
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
Network Files PhoneState
Location Wake Lock Pim Camera Microphone In AppPurchase
• 16.59% of SDKs access
the list of installed apps.
• 9.3% of SDKs access
Accounts.
• 5.86% of SDKs access
Microphone.
I KNOW WHAT YOUR SDKs DID LAST SUMMER
safedk.com
BAD NEWS FROM BADNEWS
safedk.com
BAD NEWS FROM BADNEWS: HOW IT WORKED
safedk.com
App uploaded to Play StoreApp passed Google checks:
no malware
Users downloadthe app
BadNews sets up a serviceon the device
Device polls BadNews’ C&Cserver every 4 hours
Server responds withmalicious data
And voila!Device is infected
with malware
NOT TO WORRY, I CAN PROTECT MYSELF
safedk.com
if (myCoolAwesomeConfiguration.isEnabled(SOME_SDK_KEY)) {new SomeSDK().init(SOME_SDK_KEY);
}
OOPS…
safedk.com
<receiver android:name="com.somesdk.sdk.BigMajorReceiver"><intent-filter>
<action android:name="android.intent.action.BOOT_COMPLETED"/><action android:name="android.intent.action.USER_PRESENT"/><action android:name=" android.intent.action. ACTION_POWER_CONNECTED"/>
</intent-filter></receiver>
safedk.com
AARs: SELF-GRANTING PERMISSIONS
safedk.com
<manifest xmlns:android="http://schemas.android.com/apk/res/android"package="com.google.android.gms.analytics">
<uses-sdk android:minSdkVersion="9"/>
<!-- Include required permissions for Analytics to run. --><uses-permission android:name="android.permission.INTERNET" /><uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<!-- Optional permission for Analytics to run. --><uses-permission android:name="android.permission.WAKE_LOCK"/>
<application /></manifest>
* Google Play Analytics, v9.4.0
JUST SAY NO!
safedk.com
<manifest xmlns:android="http://schemas.android.com/apk/res/android"package="com.mine.myawesomeapp">
<uses-permissionandroid:name="android.permission.WAKE_LOCK" tools:node=“remove”/>
</manifest>
safedk.com
ANDROID DEX AND THE METHOD COUNT
safedk.com
164,796Methods
134,313Methods 159,717
Methods
WinIt58 SDKs
Wishbone60 SDKs
Destiny57 SDKs
safedk.com
THE GOOGLE PLAY SERVICES EXAMPLE
• Google offers its own SDK for Android withplenty of wonderful features and capabilities...
.........
• Adds many methods
~ 44K methods
THE CONSEQUENCES OF MULTIDEXING
Slower Compilation Slower Start Time
safedk.com
LOLLIPOP TO THE RESCUE
Slower compilation Slower Start Time
safedk.com
WHY ARE SDKS RISKY ?
SECURITY & PRIVACY QUALITY OF SERVICE
safedk.com
WHO’S SLOWING YOU DOWN?
safedk.com
safedk.com
Start Time: 1 3𝐴𝑝𝑝 + 2 3 𝑆𝐷𝐾𝑠
safedk.com
Start Time: 2ND TIME’S THE CHARM?
safedk.com
LETS LOOK INSIDE THE APK…
What’s this?
Additional code.When is it loaded?
safedk.com
WHO’S CRASHING YOUR PARTY?
MAIN CRASH REASONS
Out of Memory
Null Pointer Exceptions…
Concurrency & Threads
Views & Layouts
Permissions Mishap
safedk.com
KEEPING UP WITH THE ANDROIDS
safedk.com
SO ARE SDKs THE ENEMY?
safedk.com
SO ARE SDKs THE ENEMY?
safedk.com
safedk.com
When throwing a great party, be careful of any guests that might spike the punch
