Objective-C Security Vulnerabilities and Language Overview ● Click here to learn how Checkmarx can secure your Objective-C code What is Objective-C? First appearing in 1984, Objective-C was developed by Tom Love and Brad Cox through their company Stepstone. Objective-C was primarily influenced by C and Smalltalk and as a result influenced Groovy, Java, Nu, Objective-J, TOM and Swift. In Stack Overflow’s 2016 Developer Survey, Objective-C ranked as the twelfth most popular technology with slightly over 6.5% of the respondents using it in their development, a decline of over 5% since 2014 Objective-C Features: Classes are objects Dynamic typing Optional static typing Categories Message sending Expressive message syntax Introspection Dynamic run-time Automatic garbage collection C++ fluent Why Was Objective-C Initially Created? Objective-C’s founders were initially introduced to Smalltalk which was a major influence on Objective-C while they were working at the ITT Corporation, a manufacturing conglomerate, in the early 1980s which was focused on communication technology at that time. They both understood that the future of development environments included aspects of Smalltalk as well as backwards compatibility with C when it came to innovations and development in the telecom field. Objective-C also addressed the problem of reusability in software design and programming and as a result the founders were able to demonstrate that they could now support objects in a flexible manner, come supplied with a usable set of libraries, and allow for the code (and any resources needed by the code) to be bundled into one cross-platform format. Tom Love and Brad Cox left ITT Corporation and created Productivity Products International (PPI) in order to help bring their product to market. In 1986, the main description of Objective-C was published in Object-Oriented Programming, An Evolutionary Approach. They went on to change the name of Productivity Products International to Stepstone and in 1988, NeXT, the computer company founded by Steve Jobs, licensed the language which created the AppKit and Foundation Kit libraries that were appreciated throughout the industry despite the fact that NeXT workstations failed to make a large impact. Apple acquired NeXT in 1996 and used NeXT’s Objective-C-based developer tool, Project Builder as well as the interface design tool, Interface Builter, in its new operating system OSX. In 2014, Apple released Swift, a new language which incorporated ideas from a number of existing programming languages, particularly C#, Python and Ruby and can be characterized as “Objective-C without the C” since Swift is largely Objective-C with some different syntax. Swift vs. Objective-C Just a year after Swift was launched, it became apparent that not only was Swift a serious, approachable and feature rich language. Swift quickly “caught fire,” even while it was only available to a small amount of coders with 2,400 Swift projects on GitHub. In his analysis Swift vs. Objective-C: 10 reasons the future favors Swift, Paul Solt of InfoWorld outlines the numerous edges that Swift has over Objective-C. These include: Swift is easier to read Swift is easier to maintain Swift is safer Swift is unified with memory management Swift requires less code Swift is faster Objective-C Security Vulnerabilities High-Risk Objective-C Security Vulnerabilities: Alongside SQL Injections (SQLi), Stored XSS and Reflected XSS, which affect most contemporary programming languages, Objective-C applications also face threats from: Information Exposure Through Extension Second Order SQL Injection Third_Party_Keyboards_On_Sensitive_Field Securing your Objective-C Code Checkmarx’s CxSAST, a static code analysis solution, stands out amongst Objective-C testing solutions as not only the solution which will keep your Objective-C code free from security and compliance issues, but also as the tool which will contribute to your organization’s advancement when it comes to application security maturity. CxSAST works with the tools your developers are already using as it seamlessly integrates with most of the common development programs available at every stage of the SDLC. CxSAST’s features such as incremental code scanning and the best fix location made it ideal for any continuous integration continuous development (CICD) environment. When vulnerabilities are detected in the Objective-C code, CxSAST will not only identify the best fix location, but will also offer resources to the developer to understand how the attack vector work as well as remediation advice which will help them ensure similar mistakes are avoided in the future.