/https

A crowd-sourced list of SDKs and how they protect their downloads with HTTPS

MIT LicenseMIT

Trusting SDKs - HTTPS

A crowd-sourced list of SDKs and how they protect their downloads with HTTPS.

Based on the Trusting SDKs post by @KrauseFx this repo contains a crowd-sourced list of SDKs and their status when it comes to security when downloading the binary or source code.

iOS SDKs

You can get a list of the most used iOS SDKs on AppSight

SDK Has official CocoaPod Website that links encrypted Download uses HTTPS Open Source
Facebook SDK
AWS SDK
AppsFlyer ⚠️
Realm ⚠️
Mixpanel
Braintree
Branch
Bugfender ⚠️
Amplitude
Appsee ⚠️
Crashlytics ⚠️
Firebase ⚠️
Heap ⚠️
leanplum
Chartboost ⚠️
AskingPoint ⚠️
Google Analytics ⚠️
Customerly SDK
HockeyApp
VS App Center
Evernote SDK
Carnival SDK ⚠️
PSPDFKit for iOS/macOS ⚠️
Instabug ⚠️
Intercom iOS SDK ⚠️
Zendesk Support SDK ⚠️
Zendesk Chat SDK ⚠️
Sentry SDK
PhotoEditor SDK iOS ⚠️

Has official CocoaPod

  • ✅ A CocoaPod is available on CocoaPods.org, and is maintained by the company providing the SDK.
  • ❌ No CocoaPod is available, or the pod that's available is published or maintained by a third party

As soon as the pod is maintained by a third party, the SDK is out of the control of the company providing it, adding an extra layer of security risks.

Website that links encrypted

  • ✅ The website linking to the download of the SDK (or the CocoaPods page) is HTTPS encrypted by default
  • ❌ The website linking to the download uses unencrypted HTTP

This is critical, as by having the marketing or docs page be unencrypted allows an attack to re-write any links to different URLs, as described in trusting SDKs in the Localytics section.

Download uses HTTPS

This section is about the Manual Installation section most SDKs provides. As mentioned in trusting SDKs most of the pods on CocoaPods are secure.

  • ✅ The download of the SDK happens via HTTPS by default
  • ❌ The download of the SDK uses unencrypted HTTP by default, or doesn't support HTTPS at all

If the download doesn't happen via HTTPS be extra cautious when using the SDK, and notify the SDK provider.

Open Source

  • ✅ The SDK is open source, meaning you can see what kind of data the SDK tracks, and what web hosts it accesses
  • ⚠️ The SDK is not open source - this doesn't mean it's bad, it just means you can't see what the SDK does

The risks of a closed source SDK is described in detail in trusting SDKs. In particular when it comes to accessing user data, keychain entries and photos this might add an risk.

Contributing

This repo is community-driven. To update the information of an SDK, just submit a Pull Request to this repo. You can use the GitHub online editor to easily edit text online, without having to manually clone the repo.

Click here to edit this file