Mobile SDKs and WDKs

Many companies now provide customers the opportunity to use mobile software development kits (SDKs) and wearable development kits (WDKs) to build their own apps fairly quickly. They offer many benefits; some of the reasons for creating and leveraging mobile SDKs/WDKs are described below:

  • Faster time to deploy: Mobile SDKs and WDKs greatly simplify the integration effort. They can help simplify development projects and enable integration of APIs that require complex use cases more quickly.
  • Increased Security: Mobile SDKs and WDKs can provide greater visibility into security concerns early in the development lifecycle and offer developers more control. For example, mobile payment processing requires PCI compliance and some platforms may have specific requirements for storing passwords, etc. SDK/WDK can help provide the needed security.

Note that secure coding and traditional app security practices alone will not safeguard SDKs from pervasive security threats. Also, Developers are not necessarily security experts.

  • Protect IP & Brand: Mobile SDKs and WDKs will allow you to safeguard critical portions of your code so your IP and Brand are not compromised.

Threats Faced by SDKs & WDKs – Security Remains a Challenge

A proof of concept has existed for some time, introduced by Unix co-creator Ken Thompson, which demonstrates that hackers may attack mobile SDKs by distributing modified copies of the kits with Trojan/backdoor code already inserted in them.

IBM researchers discovered a flaw in Dropbox’s Android SDK that can leave mobile users vulnerable to attack. The issue was not in the Dropbox service or the mobile app itself, but rather in the company’s SDK that third-party developers include to let users easily connect to their Dropbox files. There were two ways to exploit this vulnerability — using a malicious app installed on the user’s device or remotely using drive-by techniques.

Apple recently identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that relies on private APIs to gather personal information, such as user email addresses and device identifiers, and routes data to its company server.

Most security risks associated with SDKs will come from user-installed applications that are actually malware masquerading as innocent programs.

Moreover, there is a huge risk in exposing a company’s code and IP through the direct and intimate sharing of technology (in the form of an SDK/library/WDK).

Arxan Secures Mobile SDKs and Wearables Development Kits (WDKs)

Arxan provides embedded security libraries for native mobile and wearable apps to safeguard their confidentiality and integrity.

Our approach to SDK and WDK security provides Application Hardening and Run-time Application Self Protection measures coupled with fully programmable Breach Management functionality.

These measures:

  • Defend against compromise
  • Detect runtime attacks
  • Respond to runtime attacks with customizable actions

Arxan’s approach also ensures your patented intellectual property (IP) is not compromised or cloned through application attacks, such as reverse-engineering or code tampering.

See a case study on how Arxan’s techniques are currently securing SDK/WDK.

Additional Resources: