A crowd-sourced list of SDKs and how they protect their downloads with HTTPs.
Based on the Trusting SDKs post by @KrauseFx this repo contains a crowd-sourced list of SDKs and their status when it comes to security when downloading the binary or source code.
You can get a list of the most used iOS SDKs on AppSight
| SDK | Has official CocoaPod | Website that links encrypted | Download uses HTTPs | Open Source |
|---|---|---|---|---|
| Facebook SDK | ✅ | ✅ | ✅ | ✅ |
| AWS SDK | ✅ | ✅ | ✅ | |
| AppsFlyer | ✅ | ✅ | ❌ | ✅ |
| Realm | ✅ | ✅ | ✅ | ✅ |
| Mixpanel | ✅ | ✅ | ✅ | ✅ |
| Braintree | ✅ | ✅ | ✅ | ✅ |
| Amplitude | ✅ | ✅ | ✅ | ✅ |
| Appsee | ✅ | ✅ | ✅ | |
| Crashlytics | ✅ | ✅ | ✅ | |
| Firebase | ✅ | ✅ | ✅ | |
| Heap | ✅ | ✅ | ✅ | |
| leanplum | ✅ | ✅ | ✅ | ✅ |
| Chartboost | ❌ | ✅ | ❌ | |
| AskingPoint | ❌ | ✅ | ❌ | |
| Google Analytics | ✅ | ✅ | ✅ | |
| Customerly SDK | ✅ | ✅ | ✅ | ✅ |
- ✅ A CocoaPod is available on CocoaPods.org, and is maintained by the company providing the SDK.
- ❌ No CocoaPod is available, or the pod that's available is published or maintained by a third party
As soon as the pod is maintained by a third party, the SDK is out of the control of the company providing it, adding an extra layer of security risks.
- ✅ The website linking to the download of the SDK (or the CocoaPods page) is HTTPs encrypted by default
- ❌ The website linking to the download uses unencrypted HTTP
This is critical, as by having the marketing or docs page be unencrypted allows an attack to re-write any links to different URLs, as described in trusting SDKs in the Localytics section.
This section is about the Manual Installation section most SDKs provides. As mentioned in trusting SDKs most of the pods on CocoaPods are secure.
- ✅ The download of the SDK happens via HTTPs by default
- ❌ The download of the SDK uses unencrypted HTTP by default, or doesn't support HTTPs at all
If the download doesn't happen via HTTPs be extra cautios when using the SDK, and notify the SDK provider.
- ✅ The SDK is open source, meaning you can see what kind of data the SDK tracks, and what web hosts it accesses
⚠️ The SDK is not open source - this doesn't mean it's bad, it just means you can't see what the SDK does
The risks of a closed source SDK is described in detail in trusting SDKs. In particular when it comes to accessing user data, keychain entries and photos this might add an risk.
This repo is community-driven. To update the information of an SDK, just submit a Pull Request to this repo. You can use the GitHub online editor to easily edit text online, without having to manually clone the repo.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent