Swift : Unsafe reflection

Use of reflection: it is possible to execute arbitrary malicious code or use undocumented methods which would be rejected at the Apple Review if used explicitly.

An attacker could supply values to select the unexpected classes or methods. If this occurs, then the attacker could create control flow paths that were not intended by the developer. These paths could bypass authentication or access control checks, or otherwise cause the application to behave in an unexpected manner. This situation becomes a scenario of attack if the attacker can upload files into a location that appears on the application’s classpath or add new entries to the application’s classpath. Thus the attacker can use reflection to introduce new, malicious behavior into the application.

• An attacker might be able to execute code that is not directly accessible to the attacker. Alternately, the attacker could call unexpected code in the wrong place or the wrong time, possibly modifying critical system state.
• An attacker might be able to use reflection to call the wrong code, possibly with unexpected arguments that violate the API. This could cause the application to exit or hang.
• By causing the wrong code to be invoked, he might be able to trigger a runtime error that leaks sensitive information in the error message.

Client Side Injection vulnerabilities take the seventh place in the “OWASP Mobile Top 10 2014” mobile application vulnerabilities ranking.