[Owasp-Mobile-Project] Mobile Top 10
Sherif Koussa
sherif.koussa at gmail.com
Thu Sep 16 09:42:51 EDT 2010
I am thinking we might want to start with some scoping effort, in the sense
of what would be included and what not, for example, are we only considering
mobile apps? or also mobile browsers? By mobile, are we including devices
like iPad....etc? or we strictly focused on mobile celluar smart devices?
Also, information leakage on mobile devices is kind of higher priority as
far as mobile devices are concerned than for example unvalidate redirects
and forwards, not to say the later is not a problem but I believe
information leakage is kind of more important.
Another point, lack of local data encryption on the device is an issue that
is more important on the mobile front rather than the regular
desktop\laptopn front. According to some statistics I tried to gather, there
are about 600K laptops lost or stolen every year, however, as far as cell
phones I saw stats from 12M to 30M lost or stolen cell phones every year.
Maybe some folks from carrier companies may confirm this stats. What makes
this problem more prevelant is the fact that most corporate or laptops with
sensitive information on it will have some kind of username and password or
other protection mechanism for it which might act as mitigating control.
However, there are very small numbers of cell phones would need a password
or a PIN to be able to use the device. Bottom line is: we might want to
spell this out as lack of encryption on the "*client*" as well as the
server.
Another thought. In the original Top 10, the good old Buffer Overflow was
kicked for obvious reasons. However, with Windows Mobile(C\C++), iPhone
(objective C) and Symbian (Symbian C++) we might want to rethink adding back
Buffer Overflows. not sure if there are so many exploits out there though
that use mobile buffer overflows.
My 2 cents :)
Regards,
Sherif
On Wed, Sep 15, 2010 at 11:08 PM, Jack Mannino
<jack at nvisiumsecurity.com>wrote:
> Good Evening,
>
> To follow up on the other thread, has anyone begun to draft up ideas for
> the Mobile Top 10? I'm really curious to see what some other people think
> about this or have experienced firsthand.
>
> -Jack
>
> _______________________________________________
> Owasp-mobile-project mailing list
> Owasp-mobile-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-mobile-project
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-mobile-project/attachments/20100916/f762a7f1/attachment.html
More information about the Owasp-mobile-project
mailing list