IT IS SOMEONE ELSE’S CODE INSIDE YOURS
YET YOU ARE RESPONSIBLE FOR IT…
WHY IS IT A PROBLEM?
safedk.com
if (context.checkCallingOrSelfPermission("android.permission.ACCESS_FINE_LOCATION")) {
Location userLocation = locationManager.getLastKnownLocation("gps");
}
if (hasEmailPermission()) {Pattern emailPattern = Patterns.EMAIL_ADDRESS;Account[] accounts =
AccountManager.get(this.mContext).getAccounts();…
}
THE DARK SIDE OF SDK PERMISSIONS
safedk.com
SDKs & PERMISSIONS: WHAT THEY DON’T TELL YOU
safedk.com
60.94%
15.31%13.30%
10.87%
5.01% 4.01% 3.58% 3.29%0.72%
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
Network Files PhoneState
Location Wake Lock Pim Camera Microphone In AppPurchase
• 16.59% of SDKs access
the list of installed apps.
• 9.3% of SDKs access
Accounts.
• 5.86% of SDKs access
Microphone.
I KNOW WHAT YOUR SDKs DID LAST SUMMER
safedk.com
BAD NEWS FROM BADNEWS: HOW IT WORKED
safedk.com
App uploaded to Play StoreApp passed Google checks:
no malware
Users downloadthe app
BadNews sets up a serviceon the device
Device polls BadNews’ C&Cserver every 4 hours
Server responds withmalicious data
And voila!Device is infected
with malware
NOT TO WORRY, I CAN PROTECT MYSELF
safedk.com
if (myCoolAwesomeConfiguration.isEnabled(SOME_SDK_KEY)) {new SomeSDK().init(SOME_SDK_KEY);
}
OOPS…
safedk.com
<receiver android:name="com.somesdk.sdk.BigMajorReceiver"><intent-filter>
<action android:name="android.intent.action.BOOT_COMPLETED"/><action android:name="android.intent.action.USER_PRESENT"/><action android:name=" android.intent.action. ACTION_POWER_CONNECTED"/>
</intent-filter></receiver>
AARs: SELF-GRANTING PERMISSIONS
safedk.com
<manifest xmlns:android="http://schemas.android.com/apk/res/android"package="com.google.android.gms.analytics">
<uses-sdk android:minSdkVersion="9"/>
<!-- Include required permissions for Analytics to run. --><uses-permission android:name="android.permission.INTERNET" /><uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<!-- Optional permission for Analytics to run. --><uses-permission android:name="android.permission.WAKE_LOCK"/>
<application /></manifest>
* Google Play Analytics, v9.4.0
JUST SAY NO!
safedk.com
<manifest xmlns:android="http://schemas.android.com/apk/res/android"package="com.mine.myawesomeapp">
<uses-permissionandroid:name="android.permission.WAKE_LOCK" tools:node=“remove”/>
</manifest>
safedk.com
164,796Methods
134,313Methods 159,717
Methods
WinIt58 SDKs
Wishbone60 SDKs
Destiny57 SDKs
safedk.com
THE GOOGLE PLAY SERVICES EXAMPLE
• Google offers its own SDK for Android withplenty of wonderful features and capabilities...
.........
• Adds many methods
~ 44K methods
MAIN CRASH REASONS
Out of Memory
Null Pointer Exceptions…
Concurrency & Threads
Views & Layouts
Permissions Mishap
safedk.com