October is the annual
National Cybersecurity Awareness Month (NCSAM), which is promoted by the U.S. Department of Homeland Security and the National Initiative for Cybersecurity Careers and Studies (NICCS). According to the NICCS, “Held every October, NCSAM is a collaborative effort between government and industry to raise awareness about the importance of cybersecurity and to ensure that all Americans have the resources they need to be safer and more secure online. This year’s overarching message – Own IT. Secure IT. Protect IT. – will focus on key areas including citizen privacy, consumer devices, and e-commerce
security.”
In light of NCSAM, there is little doubt that the origins of today’s data breaches (that certainly affect citizen privacy) are repetitive in nearly every case. Vulnerable people,
processes, or software are almost always the facilitators. Unfortunately, vulnerable people will continue to fall prey to phishing attacks and vulnerable
processes will often remain in place. However, vulnerable software is something that can easily be fixed when
developers understand and fully implement
secure coding practices. Organizations that aren’t completely vetting their
software applications before releasing them are putting themselves and their
users at unnecessary risk, and these organizations may face the consequences when targeted by attackers.
Since this year’s overarching message focuses on citizen privacy, consumer devices, and e-commerce
security, there is one area of concern that is often overlooked and should be discussed. The
security of today’s mobile
applications (apps), running on consumer devices, and interacting with e-commerce and other sites, needs to be prioritized now more than ever before. Without applying secure coding practices to
mobile app development, organizations are likely releasing vulnerable apps that are ripe for exploitation. Clearly, there is a growing need for secure coding practices among developers, resulting in more-secure mobile apps.
Another Good Project with a Noble Cause
Understanding the need, the
Checkmarx Security Research Team released the
Kotlin Guide - Mobile Application Secure Coding Practices today to help spread awareness around the most common coding errors when building mobile apps using the
Kotlin Language. For those who may be unfamiliar,
Kotlin is a programming language for modern multiplatform applications, 100% interoperable with
Java™ and Android™. It is now fully supported by Google as an alternative to the Android standard Java compiler. Since May 7, 2019,
Kotlin is Google's preferred language for
Android app development. Therefore, it is important for developers to familiarize themselves with this new language and understand secure coding practices for
mobile apps when using
Kotlin.
The Checkmarx Research Team recently considered how a cyber-attacker might approach attacking
Kotlin-based
mobile apps. The authors of the
Kotlin Guide mapped the
OWASP Mobile Top 10 security weaknesses to
Kotlin on a
weakness-by-
weakness basis while providing examples, recommendations, and fixes to help developers avoid common mistakes and pitfalls. After reading the
Kotlin Guide and referring to it often,
developers and AppSec teams will learn how to ensure they are developing and releasing more-
secure mobile apps when
using Kotlin. This is one of the first publications ever to be accompanied by a deliberately vulnerable
Kotlin app called Goatlin, which is publicly accessible to those who would like to learn more. Links to Goatlin are provided in
Kotlin Guide.
This type of research activity is part of the Checkmarx Research Team’s ongoing efforts to drive the necessary changes in
software security practices among organizations who
develop and heavily rely on mobile apps, while bringing more security awareness amid the consumers who use them. Protecting privacy of consumers must be a priority for all of us in today’s increasingly-connected world. Being
software security and programming language experts, the Checkmarx Research Team felt compelled to create the Kotlin Guide to be shared with developers and AppSec teams worldwide in the hope of improving
security for everyone.
Why This Guide is Important
Even the U.S. Government recognizes that
mobile application security is a serious concern. In 2017, a
Study on Mobile Device Security was performed through the joint effort of the Department of Homeland Security (DHS) in consultation with the
National Institute of Standards and Technology (
NIST) via the
National Cybersecurity Center of Excellence. In the study, it stated that
vulnerabilities in applications are usually the result of the failure to follow secure coding practices and
vulnerabilities typically result in some sort of compromise to a user’s data.
In the effort to move
developers away from using
Java when building
Android apps, Google offers guided, tutorial, and hands-on coding lessons for
Kotlin developers. Google Codelabs recently updated some of its training modules this past September which include
Android Kotlin Fundamentals,
Kotlin Bootcamp for Programmers, and
Refactoring from Java to Kotlin. Using these training modules, in addition to understanding the
vulnerabilities highlighted in the
Kotlin Guide,
developers should have a better understanding of the tools required to begin developing more-secure mobile apps for
Android-based mobile devices when using
Kotlin.
Download the Kotlin Guide - Mobile Application Secure Coding Practices here.