The demo shows a man-in-the-middle attack in action. There is a Raspberry PI in the network (attacker), and I use my Mac without any special configuration. All the attacker needs is to be in the same network, no matter if it’s an open or closed network.
The attacker will do a man-in-the-middle attack to modify the AWS SDK source code while it’s being downloaded to insert malicious code.
In this video you can see a sample app that only shows a map. After adding the AWS SDK to the project, the SDK runs its malicious code and shows an iCloud phishing popup, printing the raw iCloud password in the log after the user entered it. The hack could very easily send the cleartext password to any remote server, or do other things, like access the user’s location history using image data or record the user without them knowing (https://krausefx.com/privacy)
Thanks Manu (https://twitter.com/acrooow) for the great voice over for this video
More information on https://krausefx.com/blog/trusting-sdks