Vetting applications on mobile devices, whether enterprise-issued or employee-owned, is a key part of any security strategy, but a startup based in Herzliya, Israel wants to go a step further.
SafeDK recently launched with $2.25 million USD in seed funding. It’s growing its platform that allows to developers to rate and review software development kits (SDKs) for mobile applications, starting with the Android OS but with iOS capabilities already in development, said co-founder Orly Shoavi.
The platform enables developers to monitor real-time behavior of SDKs and notifies them of privacy, performance, and stability issues. More importantly, said Shoavi, it allows developers to simply turn off SDKs or certain functionality within an SDK without harming app stability, and enables them to update their apps’ new SDK configuration with a simple click, and without the need for version updates. It’s more than just a marketplace, she said. The goal of SafeDK is to support the entire value chain of mobile SDKs.
Everybody uses third-party SDKs, said Shoavi, and while some are open source, many are “black boxes” to a developer – they don’t know what’s inside. Even an excellent developer who follows the rules and writes great code can be affected by a bad SDK.
Bad SDKs introduce problems in two main domains, said Shoavi. The first area is privacy and security, were SDKs take over application permissions to get private data from users, accessing information such as locations, contacts and emails.
“Privacy leaks happen a lot,” she says. SDKs can be used to introduce malware to mobile devices and open backdoors to data that can be exploited.
The other way bad SDKs can affect mobile devices is through reducing quality of service, she said. There’s not always malicious intent but bugs can cause problems such as draining a battery too quickly. “It’s very frustrating for the app developers.”
An application can follow the rules, said Shoavi, but can end up losing users and even get removed from the Apple Store or Google Play because an SDK is causing problems, that’s why the ability to deactivate an SDK or a disable a feature in app is appealing. “It’s not all or nothing.”
For enterprises leveraging mobile apps, security and privacy are critical, and even conservative enterprises need to use SDKs, said Shoavi, and SafeDK provides some insurance. Each SDK in an app on a mobile device can be analyzed by IT, she said. “An application could have good reputation for the enterprise but could still have bad SDKs.”
While there are many tools that look at security and performance of mobile applications, Shoavi said not enough attention has been paid to SDKs, which are sometimes are intentionally created to be malicious and other times nothing more than poorly written code. “It happens.”
But even unintentionally bad SDKs can cause an app to lose functionality or open security holes that can allow external control of a mobile device. Shoavi said SafeDK wants to encourage developers to rate and review SDKs to help other developers and “turn every SDK into a SafeDK. We want to be a one-stop shop to find all bugs and issues.”