SDKs Behaving Badly

Modern software systems are increasingly built from components, many of them from third parties. This saves time and effort, but the developer now doesn't really know what their software is doing — but is still responsible for it. This is especially an issue for privacy compliance, with many apps leaking various kinds of sensitive data. In my ICSI group and at AppCensus, the company commercializing the methods we've developed, we've done dynamic analysis on hundreds of thousands of the most popular Android apps to see what sensitive data they access, with whom they share it, and how these practices comport with various privacy regulations, app privacy policies, and platform policies. We found that while potential violations abound, many of the issues appear to be due to the (mis)use of third-party SDKs.

Join our next discussion to learn about the most common types of violations that we've observed and how app developers can better identify these issues prior to releasing their apps.

Speaker Details:

Serge Egelman is the CTO of AppCensus, and the Research Director of the Usable Security and Privacy group at the International Computer Science Institute (ICSI) at Berkeley. He conducts research to help people make more informed online privacy and security decisions, and is generally interested in consumer protection. His research on privacy on mobile platforms has been cited in numerous lawsuits and regulatory actions, as well as featured in the New York Times, Washington Post, Wall Street Journal, Wired, CNET, NBC, and CBS.