保護DataHogo
Security Encyclopedia/OWASP Mobile Top 10
mediumCWE-1395M2:2024

Mobile Supply Chain Security

Vulnerable SDKs, outdated native libraries, or compromised third-party modules in your mobile app introduce security risks from your dependencies.

How It Works

Mobile apps often include dozens of third-party SDKs for analytics, ads, crash reporting, and social login. Each SDK is a potential attack vector. Outdated native libraries may contain known vulnerabilities. The React Native and Flutter ecosystems inherit npm/pub package risks. Unlike web apps, users may not update their mobile apps for months, extending the vulnerability window.

Vulnerable Code
// package.json
{
  "dependencies": {
    "react-native": "0.68.0",
    "react-native-webview": "11.0.0",
    "@react-native-firebase/app": "14.0.0"
  }
}
Secure Code
// package.json — updated, audited
{
  "dependencies": {
    "react-native": "0.73.0",
    "react-native-webview": "13.8.0",
    "@react-native-firebase/app": "19.0.0"
  }
}

Real-World Example

The SourMint attack (2020) affected 1,200+ iOS apps through a compromised ad SDK (Mintegral). The SDK was secretly capturing URL-based requests and stealing ad revenue from other networks without developers' knowledge.

How to Prevent It

  • Regularly update all mobile SDKs and native dependencies
  • Audit third-party SDKs before including them
  • Use npm audit for React Native projects
  • Monitor for security advisories on included SDKs

Affected Technologies

MobileReact NativeFlutter

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Improper Credential Usage

critical

Hardcoded API keys, passwords, or tokens directly in mobile app source code — easily extracted by decompiling the app bundle.

CWE-798M1:2024

Insecure Authentication/Authorization

high

Mobile apps with weak authentication — storing sessions insecurely, missing token refresh, or authorization checks only on the client side.

CWE-287M3:2024

Insufficient Input/Output Validation

medium

Mobile apps that don't validate user input or sanitize output are vulnerable to injection attacks, data corruption, and unexpected behavior.

CWE-20M4:2024

Insecure Communication

high

Mobile app transmits sensitive data over HTTP instead of HTTPS, or accepts invalid SSL certificates — enabling man-in-the-middle attacks on public WiFi.

CWE-319M5:2024