[Owasp-Mobile-Project] Fwd: Mobile Top 10

Ludovic Petit ludovic.petit at owasp.org
Fri Sep 17 08:08:01 EDT 2010


In fact, forget *"Well, my opinion is that we should also ensure a secure
design to ensure that the systems meet the business requirements, which
should be clearly defined before we address the security",* as we do not aim
to write something business-oriented.

However, and just fyi for those interested about the topic from a global
perspective, here's two other interesting inputs:

BONDI, http://bondi.omtp.org/default.aspx

GSM World OneAPI, http://www.gsmworld.com/oneapi/

Cheers
- Ludovic
---------- Forwarded message ----------
From: Ludovic Petit <ludovic.petit at owasp.org>
Date: Fri, Sep 17, 2010 at 12:27 PM
Subject: RE: [Owasp-Mobile-Project] Mobile Top 10
To: owasp-mobile-project at lists.owasp.org


Hi guys

Sorry, I've been quite quiet for a while, I was on business trip.

Well, my opinion is that we should also ensure a secure design to ensure
that the systems meet the business requirements, which should be clearly
defined before we address the security.

I would suggest that the "system", I mean the environment, i.e. the overall
Mobile -secure- context, should protect against the following security
threats:

   - *Privacy*, where there is a risk of disclosure of personal information,
   such as the usage, identity etc. This also covers data in storage and
   transmission
   - *Authentication* of the identities of the network elements, so that it
   is not possible for one element to masquerade as another
   - *Integrity* of the data, so that it not possible to change the data in
   storage and transmission
   - *Security of the software*, so that the software cannot be
   hacked/subverted (from buffer overflow to more sophisticated attacks)
   - *Denial of Service* threats, where the system may be degraded

and eventually (but my feeling is that this is a little bit out of the
scope)

   - *Hardware integrity*, so that it is not possible to subvert the
   hardware, and keep sensitive processes secure (secure boot etc, see TR0 and
   TR1 below).

In such a case, reference could be made to the following relevant materials
for background (from the OMTP - Open Mobile Terminal Platform):

OMTP Security Threats on Embedded Consumer Devices
http://www.omtp.org/Publications/Display.aspx?Id=57664db6-5feb-4476-ab0c-cf2891732a0c

Advanced Trusted Environment: OMTP TR1
http://www.omtp.org/Publications/Display.aspx?Id=3531a022-c606-42ad-bf02-4c8d10dc253e

OMTP Trusted Environment: OMTP TR0
http://www.omtp.org/Publications/Display.aspx?Id=4e5c11e5-4779-4775-ac5a-cfad53f6aa36
Again, it's just an idea, and as such, some of the above proposals/items
could be of course removed, depending the way we would like to achieve a
Mobile Top Tenand what has to be taken into account.

My feeling is that we must focus on Apps, Secure Coding, but Apps, more or
less in the same way of the Top Ten BUT, Mobile-oriented, so that both
document could complete each other.

Anyway, this is just ideas.

-- 
Ludovic

 ------------------------------
*From:* owasp-mobile-project-bounces at lists.owasp.org [mailto:
owasp-mobile-project-bounces at lists.owasp.org] *On Behalf Of *Sherif Koussa
*Sent:* Thursday, September 16, 2010 10:35 PM
*To:* Mike Zusman
*Cc:* owasp-mobile-project at lists.owasp.org

*Subject:* Re: [Owasp-Mobile-Project] Mobile Top 10

 I am just going to keep a list of tasks here accompanying this conversation
and please feel free to edit\add\remove

1- Define scope: mobile apps vs mobile browsers (tendency to remove the apps
optimized for mobile web browsers)
2- Define scope: mobile apps vs server apps serving these mobile apps
3- Spell out or distinguish pre-installed apps
4- are we going to push for better crypto in the hardware/OS layer, or focus
on correcting common crypto flaws made by third-party devs?
5- What is considered sensitive data? Should we push to encryp this data

Sherif
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-mobile-project/attachments/20100917/16ada202/attachment.html 


More information about the Owasp-mobile-project mailing list