Trust but Verify
Let’s assume you install the SDK and the list of permissions makes sense. Is there anything else that can go wrong? Unfortunately, there may still be cause for concern. You are still the developer or company that is ultimately assuming the risk for any data leakage. You need to perform more due diligence and check to see whether the SDK is collecting other data to send back to its servers. We can do this in a couple of ways: (1) by searching a decompiled version of the library for suspicious strings or by searching the original codebase if it’s open source, or (2) by trying to use a man-in-the-middle attack to see how the data is being transmitted across the network.
Get Bulletproof Android™: Practical Advice for Building Secure Apps now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
