SDK Security¶
Overview¶
Starting from SDK 6.6.0 GetSocial SDKs for all platforms support “restricted” mode for library initialization.
To enable Restrict usage of the SDK on Android use GetSocial SDK 6.9.0+
Android SDK 6.6.0 - 6.8.0 calculates certificate fingerprint from the public certificate key. From version 6.9.0 we calculate SHA256 fingerprint of the entire certificate, to align it with keytool output. Follow Upgrade Guide if you were using it with older SDK version.
We implemented SDK initialization restrictions to prevent hackers from using your GetSocial App Id in their apps. Mobile devices are not a secure environment. Anyone can decompile the application and steal information like ids that SDKs use for initialization. In “restricted” mode we validate not only App Id but also a signing certificate information you provide on the GetSocial Dashboard.
On Android, we validate if package name and SHA-256 certificate fingerprint of the app match the values provided on the GetSocial Dashboard. On iOS, we validate bundle id and team id.
For all newly created apps “Restrict usage of the SDK” setting on the Dashboard is turned on by default. For apps created before August 3, 2017, toggle is off by default. Please refer to the migration guide below to learn how to enable security for older apps.
Do Not Enable ‘Restrict usage of the SDK’ Before Migrating to 6.6.0+ SDK
Older versions of the SDK do not send the information required for security restrictions validations. As a result, if the setting is enabled, SDK initialization will fail. Check the guide below to learn how to do a migration and enable “Restrict usage of the SDK” toggle.
Enabling “Restrict usage of the SDK” For Apps Created Before August 3, 2017¶
- Integrate SDK version 6.6.0+.
- Wait for a couple of weeks or month, until wast majority of your users move to the version of the app with GetSocial SDK 6.6.0+ integrated.
- Enable “Restrict usage of the SDK” toggle on the Dashboard.