Mobile app SDKs: The Nesting Dolls of Hidden Risk
Here’s an obvious statement for you: mobile applications are essential to how we go about our lives. From sharing files with colleagues to managing finances and connecting with family and friends, they seem to be able to do everything we need.
But here’s the catch: developers rarely build apps from scratch and security is not typically their top priority. To quickly add features, they often rely on prepackaged code known as software development kits (SDKs). Without knowing which SDKs an app uses and the vulnerabilities they bring along, individuals and organizations are exposed to risks that they may not even be aware of.
With the number of devices being used for work everyday — especially as more employees bring their own devices — it’s impossible for security and IT teams to vet every single app present in their mobile fleet. This is why we’re rolling out a new capability in Lookout Mobile Endpoint Security that makes it easy for admins to review SDKs and build security policies around them. But before I get into our cool new feature, let me break down why SDKs represent a significant threat to your organization’s security and compliance postures.
It’s not always easy to identify risks in SDKs
The difficulty in managing risks from SDKs is that the risks they introduce aren’t always black and white. They aren’t developed with malicious intent in most cases. However, because of the ways they access or handle data, they could present risk that violates corporate policies.
Risky code isn’t always malicious code
A recent example of this is Bright Data (formerly Luminati), an SDK commonly used as an alternative way to monetize apps. Instead of showing ads to users, it connects to a platform that provides different data collection services. But this turns any app using the SDK into a proxy that can execute data collection commands on behalf of a third party.
The consequence of this is that, unbeknownst to you, an innocent-looking app that happens to be your employee’s mobile device is collecting sensitive corporate or user behavior data.
Their true intentions can be hidden
In addition to SDKs introducing risks, there are some out there that obfuscate their risky intentions. Mintegral, a popular SDK used by more than 1,200 iOS apps with more than 300 million monthly downloads, was discovered by security firm Snyk to allegedly have obfuscated malicious code. The SDK has extensive access to personally identifiable information (PII) in apps, can send any URL requests made within the parent app to a third-party server and could allegedly report false clicks on ads.
The fact that the Mintegral SDK has self-obfuscation capabilities built in shows that its developers don’t want its data collection practices to be discovered. This in itself should be enough proof to enterprise admins that it’s not something they want in the presence of sensitive data.
SourMint and Bright Data are two examples of how a lack of visibility into every component of an app that could potentially access corporate data introduces a significant security risk. This makes it incredibly difficult to build an airtight security strategy, and could unknowingly be putting your organization at risk of violating compliance.
Keep tabs on SDKs with new review feature
The Lookout Mobile Endpoint Security console enables security admins to easily evaluate any app for risk. Simply paste an app store link, or upload a .ipa, or .apk file into the admin console for the app to be analyzed and a report to be generated.
Data from the report can be used to build organization-wide security policies for the app. You never even need to inspect an employee's phone or tablet. As more capabilities are packed into SDKs and data regulations tighten, being able to easily analyze apps for risk introduced by SDKs enables you to proactively protect your organizations’ data. Using Lookout to analyze your apps creates a network effect because the analysis results are in the Lookout Security Graph that is used to protect all other Lookout customers.
The result of app analysis is that admins can filter apps and create policies based on hundreds of known risky or malicious SDKs, such as Bright Data or Mintegral. We understand that every organization may make a different determination as to whether a particular SDK is risky or not. With this expanded view, we give you the ability to write security policies based on your organization’s risk tolerance.
SDKs can affect both internal corporate policies as well as external compliance regulations. You could decide that certain SDKs, while legitimate, pose too much of a risk to your organization. Perhaps for corporate policy purposes, you don’t want data to be shared with Google Analytics or Facebook. You also want to prove to auditors that none of the regulated data is being inadvertently collected and handled in a way that would violate data compliance regulations like GDPR, CCPA or HIPAA.
A screenshot of the component menu in the Lookout console.
Don’t let SDKs put your data at risk
By expanding our app analysis feature to include SDKs, Lookout is providing an additional data source to help inform your IT and security teams about what could be putting your organization at risk. We have always placed heavy importance on visibility into the risks mobile apps could pose. This has become even more important with organizations embracing bring-your-own device (BYOD) policies to empower employees to stay productive from anywhere.
With little time to focus on security, app developers trust others to build secure SDKs with proper data handling policies. But this trust can be used to inject covert risky behavior. Even legitimate companies might have data handling practices that you just don’t want your organization’s data to be exposed to. Regardless, this enhanced visibility into app components is key to ensuring that your data isn’t being mishandled by a third party.
To get a quick demo of this capability, please reach out to your Lookout contacts. You can also request a demo here.