Published Mar 08, 2019
WRITTEN BY THE KIUWAN TEAM
Experienced developers, cyber-security experts, ALM consultants, DevOps gurus and some other dangerous species.
Application security is no longer an afterthought. Developers now prioritize security due to the exponential risk of cybercrime. Developers need to pay more attention to security as it is a crucial aspect of app development. Using application security solutions like Kiuwan ensures that vulnerabilities can be identified and resolved in good time. Popular solutions like Static Application Security Testing (SAST) simultaneously used with Source Code Analysis (SCA) ensures that commonly found vulnerabilities are identified for a secure Software Development Life Cycle (SDLC). Comprehensive integration for web and mobile applications in Swift allows individual developers as well as leading application development organizations to abate sophisticated malware. SCA is the most efficient and comprehensive means of identifying loopholes, ensuring that applications are protected. Every IT organization should have SAST as a mandatory requirement for the development and production of applications.
Mistakes Developers Make When Developing Applications in Swift
Swift is a programming language that was introduced at Apple’s Worldwide Developers Conference(WWDC) in 2104. Even though in the beginning it was proprietary, this de facto programming language is now open source, multi-paradigm and general purpose. It is a popular programming language popular among developers since it is compatible with iOS, MacOS, WatchOS, tvOS as well as Linus systems. Developers can use this language to program the server-side as well as the client-facing interface. Below are common mistakes when developing applications with Swift.
1. Insecure data storage
Local data on an application could be insecurely stored, giving attackers a loophole to manipulate application directories. The locally stored data might be the user’s data or execution metadata that users don’t have access to. But the fact that it is not visible to application users, does not mean it is invaluable. Because of the incorrect premise, a developer might make a decision that enables sophisticated malware an easy time manipulating the vulnerabilities of the application.
There is software available that can be used to view all application directories to violate privacy or steal identities. Such attacks damage the reputation of IT organizations and result in much more server impacts on the business in general. Since keychain is only limited to small data, the application’s sensitive data should be encrypted to prevent attackers from manipulating plain file systems and databases. As a developer, you should only store data that you need to minimize risk since what is not stored cannot be stolen. All in all, remember not to roll your own cryptography.
2. Insecure communication
Aside from storage, communication can also be insecure for mobile and web applications. Reverse geocoding of back-end servers is possible when a developer does not use secure channels to communicate. Using HTTP protocol is to transfer XML, JSON and so many other messages make it easy for attackers to cause interference between the client and the server. It is recommended that developers use HTTPS(HTML over SSL/TLS) to ensure that data in transit is not stolen or modified. When attacker tampers with exchange data, there is no guarantee with whom the application is communicating.
Man-in-the-middle (MitM) attacks that are third-party interferences between the server and the client can be mitigated by purchasing a valid SSL certificate. There is no excuse to use an insecure communication since SSL certificates are now free unlike in the past when they were expensive. Besides, from an implementation standpoint, there is no difference between using HTTPS or HTTP to communicate. HTTPS adoption thanks to perfectly valid SSL certificates guarantees secure communication for applications.
3. Insecure code
The source code of applications can be exploited to create counterfeit applications. This is a critical mobile app weakness since attackers have the time and technique to reverse engineer an application due to code vulnerabilities. Below are actions developers can take to ensure attackers are unable to modify applications at will;
- Dynamic memory modification
- Binary patching
- Resource modification
- Method swizzling
- Method hooking
Using security tools like Kiuwan to improve Swift support ensures the application can detect when code integrity is violated. This is a critical security weakness because all an attacker needs to do is download the official application from the official app store. The successful installation of a counterfeit application makes it available for download on the official download site. The unfortunate user who downloads this application is at risk of identity theft, and other dimensions of privacy violations. A correctly coded application should be able to detect at run time that code has been added or what is known about its integrity has been changed.
4. Underprotected APIs
This is a common mobile application mistake that allows attackers to interfere with back-end servers. Since applications are human-computer interfaces, they have to be backed by a back-end server. Attackers use a proxy to manipulate Insecure Direct Object References (IDOR) to inspect HTTP traffic. This is a basic yet common mistake that leaves an application vulnerable to malware attacks. Access control can only be effective when it is enforced in a trusted server-side code to ensure an attacker cannot modify the access control check.
5. Peripheral functionality
This common security weakness makes it easy for attackers to exploit the application’s less secure environment. Extraneous functionality is something attackers are usually looking for and it is left behind when applications are packed for production. To prevent this vulnerability, application configurations need to be inspected to ensure there are no dead codes. Common patterns associated with extraneous functionality include code and development environments as well as debugging flags. This is a security weakness that gives attackers detailed information about how the back-end server works. Not to forget that access to less secure application environments increases the attack surface. Aside from the removal of all dead code before packing the application, a developer should also be able to identify hidden switches or flags that might give attackers access to the back-end server.
Swift is an open source, multi-paradigm language that allows developers to create web as well as mobile applications. Since technological advancements also mean attackers more sophisticated techniques to tamper with applications, developers need to avoid these common security mistakes to ensure produced applications are secure. Security tools like Kiuwan Code Security improve swift support to ensure attackers are unable to manipulate applications at will.