[untog]

I feel like it’s been accepted wisdom for a long time that native apps are more secure than the web. In the last few months I’ve found myself wondering if that’s actually true. They both have their own, different security problems.

[alyssam_infosec]

The challenge here is with SDKs, just like with other open source libraries and packages, once you introduce someone else's code into your app, it becomes infinitely harder to get visibility into what your app is doing and ensure that third-party code isn't doing something nefarious (or including a sub-dependency that does something nefarious).

[untog]

True, but at least on the web I can inspect what network requests it sends, what the code is (even if it's obfuscated). Native SDKs are just a black hole.

[syspec]

In this case the SDK was ripping off the developer, by attributing watched ads to its own network by pinging the ad provider after it detected a ping from a different ad SDK in the running app.

For the end user they were still watching ads just the same