A crowd-sourced list of SDKs and how they protect their downloads with HTTPS.
Based on the Trusting SDKs post by @KrauseFx this repo contains a crowd-sourced list of SDKs and their status when it comes to security when downloading the binary or source code.
You can get a list of the most used iOS SDKs on AppSight
| SDK | Has official CocoaPod | Website that links encrypted | Download uses HTTPS | Open Source |
|---|---|---|---|---|
| Facebook SDK | ✅ | ✅ | ✅ | ✅ |
| AWS SDK | ✅ | ✅ | ✅ | ✅ |
| AppsFlyer | ✅ | ✅ | ✅ | |
| Realm | ✅ | ✅ | ✅ | |
| Mixpanel | ✅ | ✅ | ✅ | ✅ |
| Braintree | ✅ | ✅ | ✅ | ✅ |
| Branch | ✅ | ✅ | ✅ | ✅ |
| Bugfender | ✅ | ✅ | ✅ | |
| Bugsee | ✅ | ✅ | ✅ | |
| Amplitude | ✅ | ✅ | ✅ | ✅ |
| Appsee | ✅ | ✅ | ✅ | |
| Crashlytics | ✅ | ✅ | ✅ | |
| Firebase | ✅ | ✅ | ✅ | |
| Heap | ✅ | ✅ | ✅ | |
| leanplum | ✅ | ✅ | ✅ | ✅ |
| Chartboost | ❌ | ✅ | ❌ | |
| AskingPoint | ❌ | ✅ | ❌ | |
| Google Analytics | ✅ | ✅ | ✅ | |
| Customerly SDK | ✅ | ✅ | ✅ | ✅ |
| VS App Center | ✅ | ✅ | ✅ | ✅ |
| Evernote SDK | ✅ | ✅ | ✅ | ✅ |
| Carnival SDK | ✅ | ✅ | ✅ | |
| PSPDFKit for iOS/macOS | ✅ | ✅ | ✅ | |
| Instabug | ✅ | ✅ | ✅ | |
| Intercom iOS SDK | ✅ | ✅ | ✅ | |
| Zendesk Support SDK | ✅ | ✅ | ✅ | |
| Zendesk Chat SDK | ✅ | ✅ | ✅ | |
| Sentry SDK | ✅ | ✅ | ✅ | ✅ |
| PhotoEditor SDK iOS | ✅ | ✅ | ✅ | |
| Pusher Beams iOS SDK | ✅ | ✅ | ✅ | ✅ |
| Scanbot SDK for iOS | ✅ | ✅ | ✅ | |
| Video Editor SDK iOS | ✅ | ✅ | ✅ | |
| Face AR SDK | ✅ | ✅ | ✅ |
- ✅ A CocoaPod is available on CocoaPods.org, and is maintained by the company providing the SDK.
- ❌ No CocoaPod is available, or the pod that's available is published or maintained by a third party
As soon as the pod is maintained by a third party, the SDK is out of the control of the company providing it, adding an extra layer of security risks.
- ✅ The website linking to the download of the SDK (or the CocoaPods page) is HTTPS encrypted by default
- ❌ The website linking to the download uses unencrypted HTTP
This is critical, as by having the marketing or docs page be unencrypted allows an attack to re-write any links to different URLs, as described in trusting SDKs in the Localytics section.
This section is about the Manual Installation section most SDKs provides. As mentioned in trusting SDKs most of the pods on CocoaPods are secure.
- ✅ The download of the SDK happens via HTTPS by default
- ❌ The download of the SDK uses unencrypted HTTP by default, or doesn't support HTTPS at all
If the download doesn't happen via HTTPS be extra cautious when using the SDK, and notify the SDK provider.
- ✅ The SDK is open source, meaning you can see what kind of data the SDK tracks, and what web hosts it accesses
⚠️ The SDK is not open source - this doesn't mean it's bad, it just means you can't see what the SDK does
The risks of a closed source SDK is described in detail in trusting SDKs. In particular when it comes to accessing user data, keychain entries and photos this might add an risk.
This repo is community-driven. To update the information of an SDK, just submit a Pull Request to this repo. You can use the GitHub online editor to easily edit text online, without having to manually clone the repo.