Almost every IoT product today is linked in some way to an associated mobile application, which the user can use to control, manage or set up. Accordingly, these applications play an important role in our security tests and are the focus of the investigation when it comes to security and data protection. As an essential component of many applications, the so-called SDKs also prove to be quite interesting objects of investigation.
A software development kit (SDK) is generally a collection of programming tools and program libraries used to develop software. It supports software developers to create applications based on them or to use desired functionalities without having to develop them completely from scratch themselves. There are countless of these kits, especially in app development for Android, which can be used to integrate payment systems, implement user support or manage data, for example. Of particular interest for our tests are, of course, the kits that have implications for security and data protection and whose presence and activity in the apps we examine is always monitored by us. For anyone interested in which SDKs are commonly used for Android, for specific functionalities, this can now be looked up via the Google Play SDK Index.
The index can be used to search for specific SDKs by name or provider. However, it is also possible to browse directly through the various categories for the functionality provided. You can then search specifically for SDKs that are used for marketing and advertising, for example, or that enable localization.
The main information that can be displayed for an SDK is its distribution and acceptance. How often applications are installed with a certain SDK integrated, how long they remain installed and in which version the SDK is mainly distributed are the main pieces of information that can be obtained from the overviews here. But also the permissions that are needed to realize the intended functionality can be seen here.
From our point of view, we would of course particularly like to have the option of listing all apps that use a particular SDK. This would make it possible to quickly assess the impact of known vulnerabilities in SDKs or to classify the data protection relevance of an app. We could imagine that this information would also be interesting for developers, for whom the index is originally mainly intended. For our part, we will at least keep an eye on the SDK Index for the time being, perhaps one or the other useful function will be added over time.