After using Objective-C for decades, Apple is swaying towards its newer and safer Swift programming language. The latter is compatible with Apple’s Cocoa/Cocoa Touch frameworks and works with almost all of the Objective-C code written for Apple computing and mobile devices. This shift has not been smooth and Swift development still has some security issues.
Checkmarx researcher Denis Krivitski, a seasoned Objective-C and Swift expert, has created KeychainSwiftAPI to rectify a glaring issue developers are facing today. These issues are related to the security vulnerabilities created by Swift-to-C interoperability classes. Ironically, accessing the Keychain secure database requires using those classes.
“Swift, when used exclusively, is a great programming language that solves many of the security issues found in C and Objective-C,” Krivitski commented while speaking about the latest developments in the Apple software ecosystem. “But once we bridge it to code written in C or Objective-C, we create exploitable buffer overflow vulnerabilities. Using the wrapper I created can help eliminate these issues and ensure secure Swift development.”
Security issues related to interoperability between C and Swift
The new and upcoming Swift language, which possesses the latest development capabilities for developing OS X and iOS apps, has a wide array of useful features. These include type inference, functional programming paradigm and integer overflow protection. But there is still a long way to go as many libraries are still C based.
The transition of sensitive data via the Swift-to-C Bridge is the Achilles heel of the process.
During Apple Swift development, saving or retrieving data from the C based Keychain database requires complex chunks of code to convert function arguments to C compatible objects and its the same case while converting the results back from cumbersome C compatible objects to regular Swift data-structures.
To make matters worse, coding errors in these large and error-prone chucks of code can lead to multiple security vulnerabilities, increasing the risk of data harvesting and theft.
When using the KeychainSwiftAPI, fetching from the Keychain (database) becomes a matter of a few lines of code and is much more secure as shown in the code snippet below.
How does Checkmarx’s API eliminate Swift development security issues?
This library is basically a wrapper of the iOS C Keychain Framework. It allows the easy and secure storage of sensitive data in secure keychain in Swift projects. Interfacing with the original C keychain API from Swift is cumbersome and is prone to errors which lead to security vulnerabilities that can be exploited by malicious attackers.
As shown above, once installed and in place, the KeychainSwiftAPI solves the problem. Instead of writing big chucks of code, the sensitive data to be saved in the Keychain is encrypted and passed though the KeychainSwiftAPI. This not only saves the developer a lot of work, but eliminates the margin of error and secures the application.
Implementing Checkmarx’s KeychainSwiftAPI
Krivitski’s API, which is currently hosted on Github, solves this problem. This API can be implemented in 4 easy steps, eliminating all involved security issues.
- Import the KeychainSwiftAPI.
- Create a query object.
- Populate the query object with data. Query properties correspond to attribute keys of the C Keychain APO. Protery values correspond to attribute values of the C Keychain API.
- Call Ketchain.secItemAdd, which returns a pair of success code and result object.
- Success code is wrapped in Keychain.ResultCode enum for convenience.
The KeychainSwiftAPI library has been created with secure Apple Swift development in mind. It is complaint with today’s leading security coding practices and guidelines. Installing KeychainSwiftAPI is easy and quick. All you need to do is grab it from CocoaPods and add the following line to your Podfile to complete the installation:
It’s not all bad news..
Apple is aware of the problems that have arisen due to the shift towards Swift. It recently announced Swift 1.2, which has improved interoperability with Objective-C and makes it easier to write Swift code that uses Objective-C libraries. Swift developers also can enjoy the new Set data structure, which bridges with NSSet in Objective C.
Unfortunately, Apple still has to address the aforementioned problem of securing data on the Swift-to-C bridge, which is still an error-prone process. Till this problem is solved, Checkmarx’s KeychainSwiftAPI is an effective Swift development solution to enable smooth and encrypted transfer of data while working with C databases.