Kotlin SCP: Mobile Secure Coding Practices Guide

Kotlin Secure Coding Practices (Kotlin SCP for short) is a guide written for anyone using Kotlin for mobile development. This guide is a collaborative effort started by Checkmarx Security Research Team, open-sourced for community contributions, aiming to help developers avoid common mistakes.

Kotlin SCP allows developers to dig into the top 10 most common mobile application risks according to the 2016 OWASP Mobile Top 10. For each risk, meaningful documentation and vulnerable source code samples are provided, as well as exploitation videos.

Provided vulnerable source code samples were taken from Goatlin (aka Kotlin Goat): an open-source deliberately insecure mobile application. Goatlin is also used as the target for the exploitation videos, meaning that readers will be able to practice, replaying the attack on a locally deployed Goatlin instance.

Goatlin has several feature branches named after the top 10 risks (e.g. feature/m1-improper-platform-usage). In such branches, the underlying vulnerability is fixed. Comparing the source code of the feature branch against the master branch, readers will get the source code changes required to address that specific vulnerability (example for the “M1 Improper Platform Usage” risk). Switching to the feature branch and repeating the exploitation steps, readers should confirm that the underlying vulnerability is fixed.

Kotlin SCP was thought of as a new approach to teach secure mobile applications development, allowing software developers to dig deeper into the security aspects, playing the offensive role.

Kotlin SCP sections will be reproduced here: feel free to leave your reply with comments, suggestions, or questions in the appropriate post. If you want to contribute to Kotlin SCP or Goatlin, check the corresponding GitHub repositories.