Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarQube for IDE
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarQube Cloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube Server

Swift static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your SWIFT code

Filtered: 22 rules found

cwe

Impact

Clean code attribute

Authorizing non-authenticated users to use keys in the Android KeyStore is security-sensitive

consistency - conventional

security

Security Hotspot

On iOS and macOS, the Keychain is the dedicated secure container for storing key materials or secrets. When using Keychain services, the complexities of encryption are handled by the system, which ensures that the data is stored securely. Keychain also provides fine-grained access control, allowing developers to specify the conditions under which a keychain item can be accessed. For instance, access control can be configured to require user authentication, such as Face ID, Touch ID, or passcode, every time an application attempts to access the Keychain item. This measure protects the keychain item from unauthorized access, even if the device has no passcode or is already unlocked.

Ask Yourself Whether

The application requires prohibiting the use of keys in case of compromise of the application process.
The key material is used in the context of a highly sensitive application like a e-banking mobile app.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

It’s recommended to enable user authentication by setting kSecAttrAccessControl using the SecAccessControlCreateWithFlags function. It allows you to require user authentication (such as Face ID, Touch ID, or passcode) before accessing the keychain item.

Sensitive Code Example

The generated key can be used without authentication.

import Security

let parameters: [String: Any] = [
    kSecAttrKeyType as String: kSecAttrKeyTypeRSA,
    kSecAttrKeySizeInBits as String: 4096,
    kSecPrivateKeyAttrs as String: [
        kSecAttrIsPermanent as String: true,
        kSecAttrApplicationTag as String: "a-private-key"
    ]
]

SecKeyCreateRandomKey(parameters as CFDictionary, nil) // Noncompliant

Compliant Solution

Accessing the key will trigger a local authentication.

import Security

let parameters: [String: Any] = [
    kSecAttrKeyType as String: kSecAttrKeyTypeRSA,
    kSecAttrKeySizeInBits as String: 4096,
    kSecPrivateKeyAttrs as String: [
        kSecAttrIsPermanent as String: true,
        kSecAttrApplicationTag as String: "a-private-key",
        kSecAttrAccessControl as String: SecAccessControlCreateWithFlags(
            nil,
            kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
            .userPresence,
            nil
        )!
    ]
]

SecKeyCreateRandomKey(parameters as CFDictionary, nil)

See

developer.apple.com - Restricting keychain item accessibility

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

In-IDE

SaaS

Self-Hosted