Uncovering the Hidden Side of SDKs: Security Risks and GDPR Compliance

As software development becomes more complex, SDKs have become a staple for developers looking to simplify the process. But what happens when these tools come with hidden security risks and compliance issues? In this article, we take a closer look at the hidden side of SDKs and what steps you can take to protect your data.

In all areas of business, certain redundant services are used by many companies. For example, in the automotive industry, no one reinvents the wheel. Actors already exist, and have sufficiently optimized their facilities and production.

On the other hand, software and application publishers need to know:

  • how users discover their tools
  • how they download their applications
  • how their applications / software are used
  • in what circumstances they malfunction
  • the need for a payment system

All of this, in order to increase their sales, manage problems in real time, etc. The idea is to manage their business correctly, with reliable data and tools.

However, there are services that can answer these questions. They have now been developed for some time by specialized third-party companies. These are SDKs: Software Development Kits, or application development kits.

For example, Stripe-js is a payment SDK: it makes it easy to integrate a product purchase module with credit card input. This SDK is used by platforms using the JavaScript language. Technically, an SDK is often a folder containing various code files.

Statistics for the Stripe module. Recently modified and downloaded 800,000 times per week.

Stripe-js weighs 343 Kb and contains 61 files. It is downloaded 788,970 times per week, and the code was last modified 8 days ago according to the npm platform. This platform allows developers who use Javascript to download various SDKs and components for their development projects.

Another example: EDF (source: Appfigures)

AppTasty, Admob, AppAuth sont des SDK présents dans l'application EDF et Moi
AppFlyer, Batch, and Firebase are SDKs present in the EDF and Moi application.

The use of these SDKs is massive, for a very simple reason: recreating these tools internally would represent a considerable amount of time and very high costs for software publishers.

The hidden side of SDKs

Few developers and companies question what lies behind SDKs. They choose to use them for the simplest and quickest solution.

The problem is that some SDK publishers can slip in backdoors or security vulnerabilities - either intentionally or unintentionally.

Most have no idea of the building blocks used by these third-party companies. Moreover, the main complaint against SDKs concerns the protection of personal data submitted to the General Data Protection Regulation (GDPR).

Finally, SDKs raise broader questions:

  • What information do end users need to have access to?
  • Where are the data hosted? Who uses them?
  • What are the third-party software building blocks?
Journalist constantly searching for new tools that are lightweight, accessible to all, and respectful of users' privacy.


Write a comment

Chargement d'un nouvel article...

Reduce your carbon footprint with simple gestures

Follow our tutorials

Les Enovateurs

Find us also on