Swift Security Vulnerabilities and Language Overview

Swift Security Vulnerabilities

What is Swift?

Swift development began in secret in 2010 by Apple employee Chris Lattner who worked hard on his evenings and weekends to create a new way of designing and building computer software. Throughout the initial Swift development, he kept it a closely guarded secret until he revealed it to Apple executives who initially fortified Lattner’s project with more experienced Apple engineers before completely shifting gears and making Swift a major Apple focus about a year and a half after Lattner’s initial revelation.

Swift Security Vulnerabilities

Language comparison matrix shown at WWDC 2014

Swift incorporates ideas from a number of existing programming languages, particularly C#, Python and Ruby and can be characterized as “Objective-C without the C” since Swift is largely Objective-C with some different syntax. Released publicly in 2014, Swift is a general-purpose, multi-paradigm, compiled programming language that is designed to work with Apple’s Cocoa and Cocoa Touch frameworks in addition to large body of extant Objective-C (ObjC) code written for Apple products.

Unlike the lukewarm developer response to Google’s Go language debut in 2009, Swift has quickly “caught fire,” even while it was only available to a small amount of coders with 2,400 Swift projects on GitHub. With soaring popularity of Apple devices, coupled with the fact that Swift was one of the biggest announcements of the 2014 WWDC, it was clear that Swift was about to become the next big thing as programmers had a huge incentive to adopt this new language. All of this contributed to Wired’s July 2014 headline (prior to Swift’s public release), that “Apple’s Swift Language Will Instantly Remake Computer Programming.” Swift won first place for Most Loved Programming Language in the Stack Overflow Developer Survey 2015 and second place in 2016. In terms of platform support, Swift can be ported across a wide range of platforms and devices.

Why Was Swift Initially Created?

Fueled by his research and experience with the Low Level Virtual Machine (LLVM) compiler infrastructure, Lattner began his stealth development of the new programming language what would become Swift. Swift was designed to be “more resilient to erroneous code (“safer”) than Objective-C, and more concise,” Lattner said. Reasons why Swift earned the support of other Apple engineers after Lattner informed management about his project included the fact that Apple saw a language that was not only compatible with existing Objective-C frameworks, but also most of the novel features found in the prevailing programming languages that were introduced in the two preceding decades.

By the time that Swift was initially developed, language and compilers had taken over the “dirty work” that would have initially had to have been done by the developers themselves which made now an opportune time to develop, and introduce, a simpler language which was easier for programmers. For Apple, Swift provided an opportunity to give Apple developers a powerful and intuitive programming language which is “interactive and fun, [with] syntax is concise yet expressive… [while] safe by design, yet also produces software that runs lightning-fast.”

Evolution of Swift

  • June 2014 – The first public application written in Swift is released: (the official Apple Worldwide Developers Conference app)
  • September 2014 – Swift  1.0 is released alongside Xcode 6.0 for iOS
  • June 2015 – Swift 2.0 is announced at the WWDC 2015
  • September 2015 – Swift 2.0 is made available for publishing apps in the App Store
  • June 2015 – Apple announces that Swift will be entirely open source in the coming months
  • December 2015 – Swift 3.0 roadmap is announced
  • June 2016 – Swift 3.0 Preview 1 Released

Swift is announced at WWDC 2014

Who Uses Swift?

Major news broke in April 2016 that Swift may be adopted by Google as a “first class” language for Android. This announcement came a few months after executives from Google, Facebook and Uber met to discuss making Swift more central to their operations. Since its humble origins as Lattner’s passionate side project, Swift has grown into a giant with growing interest and adoption from IBM, Lyft, Firefox, LinkedIn, Coursera and other major corporations.

Swift Code Security

With the amount of trust and sensitive personal data users put into the countless applications on our iPhone and other ‘iDevices’, it’s critical that all applications written Swift are secure against any threats and free from high-risk vulnerabilities. Due to the fact that Swift is essentially Objective-C with a different syntax, many of the same vulnerabilities that threaten Objective-C code also arise in applications written in Swift.

High Level Security Threats for Swift Include:

SQL Injections (SQLi)

Reflected XSS

Buffer Overflows

Stored XSS

And more…

Is Your Swift Code Secure?

Mobile application security is a serious issue as our phones and tablets are important extensions of our lives and contain everything a hacker would need to steal our identity, savings, sensitive personal data and more.

Two alarming findings in the 2015 Ponemon report highlights how wide the gap between developers and proper mobile application security is, with one-third of the 640 organizations responding that they never test their apps for security issues before deployment, and that the vast majority of the surveyed companies test less than half of the applications they deploy at all.

With the amount of damage that can be done to your company’s reputation and your user’s data, it’s critical that you scan your Swift code for any potential vulnerabilities before it goes to production and the best, fastest and most effective way to do that is by using a static code analysis tool that can integrate at all stages in your software development lifecycle (SDLC) within the tools that your developers are already using.

Checkmarx’s CxSAST is a static code analysis solution that supports Swift out of the box. Since Swift is the Objective-C with slightly different syntax, the Checkmarx scanner interprets Swift to Objective-C in the backend before scanning the code. As a result, Checkmarx scans Swift code for over 60 quality and security issues, including twelve of the most severe and most common issues that cannot be left unfixed.

About Checkmarx

Checkmarx develops solutions used by developers and security professionals to identify and fix vulnerabilities in web and mobile applications early in the development lifecycle. We provide an easy and effective way for organizations to automate security testing within their Software Development Lifecycle (SDLC) which systematically eliminates software risk before applications are released. Amongst the company’s 1,000 customers are 5 of the world’s top 10 software vendors and many Fortune 500 and government organizations, including SAP, Samsung, Salesforce.com and the US Army.

 

jumping 1

Are you developing in Swift? Learn more by reading 40 Tips You Must Know About Secure iOS App Development

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.