October is the annual National Cybersecurity Awareness Month (NCSAM), which is promoted by the U.S. Department of Homeland Security and the National Initiative for Cybersecurity Careers and Studies (NICCS). According to the NICCS, “Held every October, NCSAM is a collaborative effort between government and industry to raise awareness about the importance of cybersecurity and to ensure that all Americans have the resources they need to be safer and more secure online. This year’s overarching message – Own IT. Secure IT. Protect IT. – will focus on key areas including citizen privacy, consumer devices, and e-commerce security.”
In light of NCSAM, there is little doubt that the origins of today’s data breaches (that certainly affect citizen privacy) are repetitive in nearly every case. Vulnerable people, processes, or software are almost always the facilitators. Unfortunately, vulnerable people will continue to fall prey to phishing attacks and vulnerable processes will often remain in place. However, vulnerable software is something that can easily be fixed when developers understand and fully implement secure coding practices. Organizations that aren’t completely vetting their software applications before releasing them are putting themselves and their users at unnecessary risk, and these organizations may face the consequences when targeted by attackers.
Since this year’s overarching message focuses on citizen privacy, consumer devices, and e-commerce security, there is one area of concern that is often overlooked and should be discussed. The security of today’s mobile applications (apps), running on consumer devices, and interacting with e-commerce and other sites, needs to be prioritized now more than ever before. Without applying secure coding practices to mobile app development, organizations are likely releasing vulnerable apps that are ripe for exploitation. Clearly, there is a growing need for secure coding practices among developers, resulting in more-secure mobile apps.
Another Good Project with a Noble Cause
Understanding the need, the Checkmarx Security Research Team released the Kotlin Guide – Mobile Application Secure Coding Practices today to help spread awareness around the most common coding errors when building mobile apps using the Kotlin Language. For those who may be unfamiliar, Kotlin is a programming language for modern multiplatform applications, 100% interoperable with Java™ and Android™. It is now fully supported by Google as an alternative to the Android standard Java compiler. Since May 7, 2019, Kotlin is Google’s preferred language for Android app development. Therefore, it is important for developers to familiarize themselves with this new language and understand secure coding practices for mobile apps when using Kotlin.
The Checkmarx Research Team recently considered how a cyber-attacker might approach attacking Kotlin-based mobile apps. The authors of the Kotlin Guide mapped the OWASP Mobile Top 10 security weaknesses to Kotlin on a weakness-by-weakness basis while providing examples, recommendations, and fixes to help developers avoid common mistakes and pitfalls. After reading the Kotlin Guide and referring to it often, developers and AppSec teams will learn how to ensure they are developing and releasing more-secure mobile apps when using Kotlin. This is one of the first publications ever to be accompanied by a deliberately vulnerable Kotlin app called Goatlin, which is publicly accessible to those who would like to learn more. Links to Goatlin are provided in Kotlin Guide.
This type of research activity is part of the Checkmarx Research Team’s ongoing efforts to drive the necessary changes in software security practices among organizations who develop and heavily rely on mobile apps, while bringing more security awareness amid the consumers who use them. Protecting privacy of consumers must be a priority for all of us in today’s increasingly-connected world. Being software security and programming language experts, the Checkmarx Research Team felt compelled to create the Kotlin Guide to be shared with developers and AppSec teams worldwide in the hope of improving security for everyone.
Why This Guide is Important
Even the U.S. Government recognizes that mobile application security is a serious concern. In 2017, a Study on Mobile Device Security was performed through the joint effort of the Department of Homeland Security (DHS) in consultation with the National Institute of Standards and Technology (NIST) via the National Cybersecurity Center of Excellence. In the study, it stated that vulnerabilities in applications are usually the result of the failure to follow secure coding practices and vulnerabilities typically result in some sort of compromise to a user’s data.
In the effort to move developers away from using Java when building Android apps, Google offers guided, tutorial, and hands-on coding lessons for Kotlin developers. Google Codelabs recently updated some of its training modules this past September which include Android Kotlin Fundamentals, Kotlin Bootcamp for Programmers, and Refactoring from Java to Kotlin. Using these training modules, in addition to understanding the vulnerabilities highlighted in the Kotlin Guide, developers should have a better understanding of the tools required to begin developing more-secure mobile apps for Android-based mobile devices when using Kotlin.
Download the Kotlin Guide – Mobile Application Secure Coding Practices here.