Mobile SDKs, these 3rd party tools used in mobile apps, seem to be all over the news lately. And not in a good way. First, 250 apps were banned from the App Store due to an SDK they used that stole private user data. Then, 18,000 Android apps were found to be integrated with an SDK that stole users’ text messages (SMS).
This makes one thing crystal clear: use 3rd party SDKs with great caution and safety measures.
At SafeDK we constantly hear mobile app developers express their concerns about using SDKs on one hand, but we see that SDK usage continues to rise on the other. The same developers that share their unfortunate experiences and cautionary tales then turn around and use a few more without any safety measurements.
Don’t get us wrong, SDKs are a necessity, a fact of modern life. Love them or hate them, mobile app developers just can’t live without them. And the swiftness with which they make apps much more versatile is probably the reason for that.
But still, as an app developer you must constantly be on alert. The wrong SDK might be the end of your app and all your hard work and effort. Don’t think it can happen to you? Well, neither did the 250 iOS apps and the 18,000 Android apps that found themselves breached this past week!
The Open Door Policy?
To make a long story short, two Chinese SDKs – very popular in the Chinese market, might I add – have caused an uproar when they were found to be stealing personal information from users.
Let’s look at the 250 iOS apps that were banned from App Store last week. Their one and only crime? They were using the Youmi SDK. This advertising SDK has been slowly adding malicious code to apps it was integrated with, to test how it can bypass Apple’s App Store review process. Each time they succeeded, they got greedier. And they stole users’ personal information. Until last week when they were caught.
And if 250 is too small a number for you, a few days later 18,000 Android apps were found to be severely breached as well. How? This time it was an SDK called Taomike. Apps used it to enhance their In-App Purchase capabilities via SMS, and the SDK used these apps to steal private SMS messages, including sender information, from the users. These 18,000 were just a part of over 60,000 apps that were using this SDK. Only those that updated to the latest version of Taomike were harmed (which once again brings up the question – to update or not to update?).
Taomike SDK, as many other popular ones, seem reliable. Until someone pulls the veil off their innocent-looking faces and unmasks them as the malicious SDKs they truly are. And then app developers using these SDKs take a major blow.
Roses are Red, Violations are Banned
Just a few short weeks ago, Ronnie Sternberg, SafeDK’s Co-Founder and VP Business, warned you of the dangers of using SDKs when it comes to following the Android Play Store regulations. The bottom line is – you might be following the rules, but your SDKs might not be, and that puts you in danger of being banned.
Orly Shoavi, SafeDK’s CEO, wrote about some real-life cases from the past – from the malicious BadNews SDK that installed malware on users’ devices to the cautionary tale of BabyBus – a company that developed countless children apps that were all suspended when one of their analytics SDK was found to be accessing location information of underage users, in violation of COPPA regulations.
She also mentioned how we’ve seen SDKs that collect information about users without declaring so in their documentation. By simply checking if the user granted the app permissions, the SDKs piggy-bagged their way to that information, without the app developers’ consent.
“So What Are We? Helpless? Puppets?”
Absolutely not! As amazing as the phenomenon of using so many SDKs might be, it’s a fact of mobile programming life. We’ve already established that. But app developers should take the necessary precautions to protect themselves and their users. It’s not enough to be aware of the dangers, you must constantly be vigilant.
Two SDKs found in the same week should make any app developer alarmed. And worse – wonder how many more are out there.
Until recently, once your app has been deployed there’s very little you could do to protect your users and yourself. But this is no longer the case. In SafeDK we developed an In-App Protection solution that works in real time. We analyze SDKs’ code and provide alerts and warnings about suspicious behavior in real time. In case of a crucial bug or privacy breach in an SDK, we also let the developer turn off the malicious or problematic SDKs immediately, without the need for version update. In case the SDK is stealing specific user information, SafeDK allows the developer to revoke a permission specifically for the problematic SDK. The control over SDKs and their permissions is done remotely, with a super-easy click of a button.
So, as we always say, use as many SDKs as you need to create a wonderful app, just make sure you’re using them with caution!