Skip to main content

SDK and Library Integration in Apps: CRA Responsibilities

Software Development Kits (SDKs) and third-party libraries are staples in app development, speeding up work and adding complex features. However, under the EU Cyber Resilience Act (CRA), integrating them comes with clear responsibilities.

Manufacturer's Due Diligence

As the app developer, you are the "manufacturer" of the final product. The CRA states that you must "exercise due diligence when integrating components sourced from third parties so that those components do not compromise the cybersecurity of the product with digital elements" (Article 13, Paragraph 5). This directly applies to every SDK (for analytics, ads, social media, etc.) and library you embed in your app.

What This Means in Practice

  1. Source Vetting:
    • Prefer official SDKs and libraries from reputable sources.
    • Check for known vulnerabilities in the versions you intend to use. Look at their track record for security updates.
  2. Understand Permissions and Data Access:
    • What permissions does the SDK/library require? Does it really need all of them?
    • What data does it collect or have access to within your app? Is this data handling secure and compliant with privacy regulations like GDPR?
  3. Keep Components Updated:
    • Vulnerabilities are regularly found in libraries. Establish a process to monitor for updates and apply them, especially security patches.
    • The CRA requires manufacturers to identify and document components, including drawing up a Software Bill of Materials (SBOM) (Annex I, Part II, Point 1). An SBOM is a list of all software components and their versions, which is crucial for tracking vulnerabilities.
  4. Secure Integration:
    • Follow the SDK/library provider’s security best practices for integration.
    • Ensure that the interaction between your app and the component doesn't introduce new vulnerabilities.

Reporting and Remediating Vulnerabilities

If you identify a vulnerability in an integrated SDK or library, you should inform the entity manufacturing or maintaining that component. You also need to address and remediate how that vulnerability affects your app (Article 13, Paragraph 6).

Key Takeway

Integrating any SDK or third-party library into your app makes you responsible for the due diligence regarding its security under the CRA. Vet your sources, understand data access, keep components updated (using an SBOM helps), and be prepared to manage vulnerabilities stemming from these integrations as they affect your app's security.