Secure Coding mailing list archives
Re: Static code review for iPhone developers?
From: Kenneth Van Wyk <ken () krvw com>
Date: Thu, 29 Jul 2010 15:26:40 -0400
On Jul 29, 2010, at 10:41 AM, Kenneth Van Wyk wrote:
Anyone know of any static code analysis tools that can scan an iPhone app package? Something that integrates with the Xcode SDK and can at the very least scan through all of the Objective C in the src tree is what I'm looking for. Any SCA product vendors currently doing this? Please contact me on or off list.
Thanks to all who responded. Great suggestions. Most focused on the (now) built-in Clang analysis engine (and front-end for LLVM ) that Dan Cornell cited here. (http://developer.apple.com/mac/library/featuredarticles/StaticAnalysis/index.html) Clang looks like a useful starting point, as it looks for all sorts of common mistakes found in the C family, including C++ and Objective C. Memory leaks, uninitialized variables, type mismatches, and that sort of thing should be pretty easy to spot using Clang. I'm hoping also for something that goes beyond that. How about analysis of static code for use of secure network connections, session management (for client-server apps), protection of sensitive data (at rest and in transit), and that sort of thing. These are relatively language-agnostic needs, but would be extremely useful in a static analysis tool, IMHO. I'll bet the folks who coded the Citi banking app could have made good use of something like that... :-\ In any case, thanks again for all the responses. Speaks volumes for the quality of folks we have here in the SC-L community. Cheers, Ken ----- Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Follow us on Twitter at: http://twitter.com/KRvW_Associates
Attachment:
smime.p7s
Description:
_______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
Current thread:
- Static code review for iPhone developers? Kenneth Van Wyk (Jul 29)
- Re: Static code review for iPhone developers? Dan Cornell (Jul 29)
- Re: Static code review for iPhone developers? Kenneth Van Wyk (Jul 29)