Poor code quality ranks seventh on the Open Web Application Security Project’s (OWASP) list of Top 10 Mobile Security Risks. As a mobile application developer, you are no stranger to impossible deadlines. In a rush to get things done, well-structured code might drop down the list of priorities. Though this gets the job done momentarily, poor-quality code can have severe implications in the long run. Let’s understand the need for good code quality and the impacts it can have on overall application security.
Poor Code Quality
While there is no set definition for poor-quality code, the quality of a piece of code can be judged by a few essential aspects; these include:
- Readability & Consistency: A readable and well-documented code is easier to understand, review, maintain and understand.
- Predictability, reliability, and robustness: Quality code leads to predictable application behaviour and mitigates risks of hidden bugs which can then lead to security lapses.
- Maintainability and extensibility: Maintaining or adding existing code to improve application functionality or add new features should be easy.
Poor code quality is a piece of code that scores very low on the parameters mentioned above.
As mobile developers, you would have found yourself in a situation where it is required to add new functionality to an existing application that another developer may have coded at some point.
If the code is well-written and documented, it would be easier to interpret and integrate the new code. If this were not the case, a lot of precious time would be lost trying to figure things out, resulting in lower productivity. The same can be said for proper error handling as well.
A lot of time can be saved during the testing phase if errors are caught and logged consistently.
Reasons and Factors Responsible for Poor Quality Code
Poor quality code can affect the overall security of the completed mobile application. Sometimes, you may only have a completed mobile application if you make it past the testing phase.
Poor quality code does not arise by following poor coding practices alone but can also be a product of external factors. Some of these include:
Poor work ethics, impossible deadlines, and poor technical expertise can leave development teams in technical debt.
Weak QA practices in your SDLC:
Not performing unit or manual testing. Ignoring the importance of code review and automated testing and skipping them just to meet deadlines can also lead to poor code quality.
Using the incorrect architecture:
Ensure the architecture you are employing allows for code reuse and is a good fit for development and functional requirements.
Poor quality code can also result from not maintaining good coding practices. Inconsistent coding style, lack of code documentation, messy code with low cohesion, high coupling, and code repetition are some examples of poor code quality.
How to Prevent Low Code Quality and Improve It?
Poor application code quality can be improved by following a few good standard coding practices. These include the following:
Maintain a consistent coding standard:
A consistent coding standard improves the overall code readability. Consistent and readable code can significantly reduce code complexity and prevent the development team from incurring significant technical debt. Maintain compatible and consistent class, variable and method names. Document classes, properties, methods, and complex blocks of codes with clear and concise comments. Promote code reusability to achieve a lower class/method complexity.
Implement code review and adhere to best practices:
Always analyse and review code consistently. Errors caught early in the development phase can save you when time and application complexity work against you. If the project has the budget, add manual testers to the team. At the same time, take advantage of automated testing. Use code analysis tools to identify potential problems before merging new code changes.
Refactor legacy code when necessary:
Refactoring can improve the overall quality of the codebase and help reduce its complexity.
Prioritise memory leaks and buffer overflow issues:
Memory leaks and buffer overflow/overruns can make your code vulnerable to attacks. Threat agents can use third-party tools to perform static analysis or fuzzing to detect these issues, which are not too difficult to exploit. When using buffers, ensure the length of any incoming buffer data does not exceed the size of the target buffer.
For example, Whatsapp engineers discovered a security flaw that was exploited by threat agents who could install malware into targeted smartphones creating and manipulating a buffer overflow with operations as simple as making a WhatsApp call. Though the security flaw was patched in the subsequent updates, it shows the impact poor code quality can have on an application’s overall security.
A good quality code can benefit you in multiple ways, from better security for your mobile application to an overall smoother and cost-effective SDLC. Poor application code quality should be addressed early on or promptly to avoid a vicious cycle of technical debt, tighter deadlines, poor code quality, and increased project costs.