Can some dependencies for android be dangerous to use? I mean could they have malicious code in them? After all they are been written from users who we don't know
Asked
Active
Viewed 122 times
2 Answers
1
Dependencies are a way of using "external" files in your project. Android is irrelevant as this concept is universal. You could depend on code in the same codebase, but that's out of the scope of this question.
A helpful way to think about dependencies could be adding source code written by other developers into your source code. Note this is technically false, since dependencies could add compiled libraries or other types of files, but it may help beginners.
It's inaccurate to say threats arise because of dependencies, since the danger is held on a singular dependency basis.
You must examine the credibility of each dependency. If you add a dependency with thousands of modifications by hundreds of developers, you can likely trust the dependency to be safe. However, if you add a dependency with one author and few users, there will generally be a higher risk of dangerous code.
In addition to the authors, the source of the dependency can be important. Dangerous code is less likely to exist in credible package managers where dependencies are reviewed.
These rules are a place to start, but there can be exceptions. In the end you need to decide what you can and can't trust. I'd assume most of the dependencies will be safe, especially if their purpose is applicable to a wide scope of projects.
Matt Goodrich
- 4,875
- 5
- 25
- 38
-
1I'm going to add on to this- you should never include a dependency unless its either a well known library who's author you trust to not be malicious (basically major corporations) or you have security audited the entire library yourself. If you're going to github, finding a random library that does what you want and hoping its not malicious- you deserve what you get. – Gabe Sechan Jan 02 '18 at 21:45
-
I like how @GabeSechan emphasizes trust in the author. It's common to add dependencies and allow automatic updates. This means you not only need to trust the code you're adding now, but also future changes by the same author (if you allow automatic updates). – Matt Goodrich Jan 02 '18 at 21:49
-
Thank you for your answer!!! – user4938227 Jan 03 '18 at 04:48
-
No problem @user4938227! Glad I can help. Please mark it as correct for future readers if it's what you were needing. – Matt Goodrich Jan 03 '18 at 04:58
-
There's a green check mark next to each answer, which allows you to indicate the best solution. It's near the upvote/downvote. – Matt Goodrich Jan 03 '18 at 05:03
0
Can some dependencies for android be dangerous to use?
For me the dangerous it means my project once will not run! Example: I will include a super-library, compile and test and publish. Everyone is happy. That library posting some data to they server and do something: crash report, Google Analytics, maybe even will spam my customers, whatever, can be malicious software too. The real problem it is, if the library will change the protocol with they server I will get a notification mail. Maybe I will receive in SPAM folder and I will ignore it. After a while my app will start crashing and produce warnings. That's the real danger of the included code.
I mean could they have malicious code in them?
Can be but everyone will test it and if it has it will be removed.
After all they are been written from users who we don't know
Would you be happy if you would know in person the code writer? - what he eats, what he drinks, what is his shoe size? He belongs to a company, which even can be sold and you just wake up with other developers modifying the code. You should focus on the code and not the persons who are writing it.
Included code part is a two edge sword, on short term maybe will help you a little on long terms for sure not, but you have to deliver results for yesterday... that's why need to include sometimes.
matheszabi
- 594
- 5
- 16