SECURITY MECHANISMS AND ANALYSIS FOR INSECURE DATA STORAGE AND UNINTENDED DATA LEAKAGE FOR MOBILE APPLICATIONS

  • Vanessa M. Santana Department of Computer Science, Iona College, 715 North Ave, New Rochelle NY 10801
  • Paolina Centonze Department of Computer Science, Iona College, 715 North Ave, New Rochelle NY 10801
Keywords: OWASP, Mobile, Security, Vulnerabilities, Coding Guidelines, Swift, Objective-C, Java, Android, iOS

Abstract

Using one mobile programming language like Objective-C, Swift or Java is challenging enough because of the many things that need to be considered from a security point of view, like the programming language secure guidelines and vulnerabilities. With the introduction of Swift in 2014 it’s now possible to build Swift/Objective-C mobile applications. Building a mobile application using two languages also adds a greater attack surface for hackers because of the need for developers to stay up to date on vulnerabilities on more than one language and operating system.
To our best knowledge, since as of today, there is no academic-research based effort comparing Swift, Objective-C and Android from a programming language and platform security point of view. Our comparative analysis covers a subset of OWASP top ten mobile vulnerabilities and seeing how Swift, Objective-C and Android programming languages safeguard against these risks and how the built-in platform security mechanisms for Android and Apple for the chosen subset of OWASP vulnerabilities compare when placed side-by-side.

References

1. http://www.alzheimer-europe.org/Research/Understanding-dementia-research/Types-of-research/The-four-main-approaches , ALZHEIMER EUROPE OFFICE, Alzheimer Europe Office, The four main approaches - Types of research, Friday 21 August 2009
2. http://research-methodology.net/research-methodology/research-approach/ , Research Methodology - Research Approach, John Dudovskiy
3. https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks , OWASP Mobile Security Project, 14 March 2016, at 02:32
4. https://developer.apple.com/swift/ , Apple Developer – Swift, 2016
5. https://developer.apple.com/library/ios/recipes/xcode_help-source_editor/chapters/Analyze.html , iOS Developer Library, Performing Static Code Analysis, 2016-03-21
6. https://tailor.sh , Tailor - Tailor. Cross-platform static analyzer and linter for Swift., 2015
7. http://clang-analyzer.llvm.org , Clang Static Analyzer
8. http://developer.android.com/tools/help/lint.html , Android Developers - Lint
9. https://developer.apple.com/library/mac/documentation/Security/Conceptual/SecureCodingGuide/Articles/TypesSecVuln.html#//apple_ref/doc/uid/TP40002529-SW5 , Apple Secure Coding Guidelines (Buffer Overflows, Secure Storage)
10. http://www.drdobbs.com/security/security-issues-in-swift-what-the-new-la/240168882 , Dr. Dobb’s, Security Issues in Swift: What the New Language Did Not Fix, Denis Krivitski, August 19, 2014
11. http://developer.android.com/training/articles/security-tips.html#InputValidation , Android Developers – Security Tips
12. Hanan Be’er, NorthBit, Metaphor – A (real) real-life Stagefright exploit. Revision 1.1, 2016
13. Allamigeon, Xavier; Godard, Wenceslas ; Hymans, Charles. Static Analysis of String Manipulations in Critical Embedded C Programs
14. http://resources.infosecinstitute.com/ios-application-security-part-20-local-data-storage-nsuserdefaults-coredata-sqlite-plist-files/ , IOS Application Security Part 20 – Local Data Storage (NSUserDefaults, CoreData, Sqlite, Plist files), Prateek Gianchandani, INFOSEC Institute
15. http://www.developer.com/ws/android/encrypting-with-android-cryptography-api.html , Android Encryption with the Android Cryptography API, Chunyen Liu, 5/20/13
16. http://www.example-code.com/swift/crypt2_aes.asp , (Swift) AES Encryption
17. http://www.example-code.com/swift/rsa_encryptStrings.asp , (Swift) RSA Encrypt and Decrypt Strings
18. http://blog.mdsec.co.uk/2012/05/introduction-to-ios-platform-security.html, Introduction to iOS Platform Security, MDSec - Consultancy, Training and Research from a global authority on Information Security, 5/10/2012
19. https://www.chilkatsoft.com/corporate.asp , About Chilkat Software Inc., 2016
20. https://developer.apple.com/library/mac/documentation/Security/Conceptual/cryptoservices/GeneralPurposeCrypto/GeneralPurposeCrypto.html , Encrypting and Hashing Data, Cryptographic Services Guide, 7/15/2014
21. https://www.owasp.org/index.php/Mobile_Top_10_2014-M2 , Insecure Data Storage, Mobile Top 10 2014-M2
22. https://www.owasp.org/index.php/Mobile_Top_10_2014-M4 , Unintended Data Leakage, Mobile Top 10 2014-M4
Published
2016-05-24
How to Cite
Santana, V. M., & Centonze, P. (2016). SECURITY MECHANISMS AND ANALYSIS FOR INSECURE DATA STORAGE AND UNINTENDED DATA LEAKAGE FOR MOBILE APPLICATIONS. INTERNATIONAL JOURNAL OF COMPUTERS & TECHNOLOGY, 15(8), 7008-7020. https://doi.org/10.24297/ijct.v15i8.3754
Section
Articles