Security of the third-party libraries – things to consider

04.08.2017

Dariusz Sęk
Software Developer
Dariusz Sęk
Dariusz is a mobile software developer who has professional experience in both Android and iOS platform. He is interested in technological novelties like new Fuchsia OS and Flutter framework. Privately fluffy dogs lover.
 

Security of the third-party libraries is one of the major problem in software and apps development. You just have made a great rich content application and you thought that finally it is time to become a millionaire. It was very simple! You used one of the mobile in-app payment library and started monetize your app…

Why we should think about security of the external libraries?

It is a common scenario (but of course not everyone will become a millionaire :)). As a mobile developer you probably integrated your app with lots of SDKs to make your work faster and more efficient. That’s understandable, because it would be foolish to invent a wheel again. But… Have you considered that some libraries require special care?

In our company, we develop an app containing pay-per-use payments. We have decided to use well-known library to handle it. Before we proceeded with the final implementation work, we decided to carry out a security audit. It was a surprise when we discovered potential problems. As it turned out, even popular and widely used solutions are not ideal…

 

Security of the third-party libraries. Mechanisms

One of the security mechanisms in this payment solution is the MD5 sum that contained among others a special security code. Sounds good, but the problem is that it was calculated on the client side. In case the mobile device is infected with malware, there is a risk of exploiting this vulnerability in the payment process. Our recommendation was to moving the MD5 sum calculation to the server side. The company providing the library decided to include our solution in the production versions of their software.

Security is often overlooked until we personally experience abuse. Sometimes we are waiting for our software to scale. But isn’t it too late? Consider it and think, did you take care of the security of the libraries you use?