Secure Coding mailing list archives

Re: Static code review for iPhone developers?

From: Kenneth Van Wyk <ken () krvw com>
Date: Thu, 29 Jul 2010 15:26:40 -0400

On Jul 29, 2010, at 10:41 AM, Kenneth Van Wyk wrote:

Anyone know of any static code analysis tools that can scan an iPhone app package?  Something that integrates with 
the Xcode SDK and can at the very least scan through all of the Objective C in the src tree is what I'm looking for.  
Any SCA product vendors currently doing this?  Please contact me on or off list.


Thanks to all who responded.  Great suggestions.

Most focused on the (now) built-in Clang analysis engine (and front-end for LLVM ) that Dan Cornell cited here.  
(http://developer.apple.com/mac/library/featuredarticles/StaticAnalysis/index.html)

Clang looks like a useful starting point, as it looks for all sorts of common mistakes found in the C family, including 
C++ and Objective C.  Memory leaks, uninitialized variables, type mismatches, and that sort of thing should be pretty 
easy to spot using Clang.

I'm hoping also for something that goes beyond that.  How about analysis of static code for use of secure network 
connections, session management (for client-server apps), protection of sensitive data (at rest and in transit), and 
that sort of thing.  These are relatively language-agnostic needs, but would be extremely useful in a static analysis 
tool, IMHO.

I'll bet the folks who coded the Citi banking app could have made good use of something like that...  :-\

In any case, thanks again for all the responses.  Speaks volumes for the quality of folks we have here in the SC-L 
community.

Cheers,

Ken

-----
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

Follow us on Twitter at: http://twitter.com/KRvW_Associates

Attachment: smime.p7s
Description:

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________

Current thread:

Static code review for iPhone developers? Kenneth Van Wyk (Jul 29)
- Re: Static code review for iPhone developers? Dan Cornell (Jul 29)
- Re: Static code review for iPhone developers? Kenneth Van Wyk (Jul 29)