[Owasp-mobile-security-project] Top 10 Risks Presentation
Zach Lanier
zach at n0where.org
Thu Oct 6 11:37:19 EDT 2011
Clearly the answer is to just integrate Convergence into every app
developed, and put that sort of trust management in the hands of the
user.
On Thu, Oct 6, 2011 at 11:35 AM, Floyd Fuh <floyd_fuh at yahoo.de> wrote:
> Hi James,
> I disagree. Having the private key on a server that is under the control of
> the company is fine. I agree
> that it doesn't solve the problem of insecure client side storage, but I've
> seen two examples where
> asymmetric crypto would have helped, but they chose symmetric crypto:
> - A company was encrypting the geolocation on Android before sending it over
> the wire to their company servers.
> By decompiling the Android app I was able to intercept the traffic and
> decrypt the location. So, if they really
> want to encrypt the geolocation they should use a public key without the
> corresponding private key on the client.
> - A company was sending login credentials to their servers over HTTPS. But
> the app was not checking
> the SSL server certificate. In the MITM attack I saw encrypted credentials,
> so I looked for the key and
> found it in the Android app. Again, asymmetric crypto would have helped.
> I agree that using SSL properly is an option here. But to be honest I like
> the idea that companies
> start to ship their own public keys in apps. The "trust" is much stronger
> this way. You don't have to
> trust strange, failing, hackable CA root companies. SSL is broken. Anyone in
> for a flamewar? ;)
> cheers
> floyd
>
> -----
> http://www.floyd.ch
> ________________________________
> Von: "McGovern, James" <james.mcgovern at hp.com>
> An: "owasp-mobile-security-project at lists.owasp.org"
> <owasp-mobile-security-project at lists.owasp.org>
> Gesendet: 2:35 Mittwoch, 28.September 2011
> Betreff: Re: [Owasp-mobile-security-project] Top 10 Risks Presentation
>
> Floyd, we have to expand on the thought of storing a private key on the
> server since this may result in moving the problem vs. solving a problem.
>
> Jack, Mike, Zach what do we believe are the risks associated with
> distribution? For example, do we believe that distribution via certain app
> stores such as Amazon can weaken security? How does a developer understand
> which stores are better than others?
>
> From: owasp-mobile-security-project-bounces at lists.owasp.org
> [mailto:owasp-mobile-security-project-bounces at lists.owasp.org] On Behalf Of
> Floyd Fuh
> Sent: Tuesday, September 27, 2011 6:00 PM
> To: Jack Mannino; owasp-mobile-security-project at lists.owasp.org
> Subject: Re: [Owasp-mobile-security-project] Top 10 Risks Presentation
>
> Hi Jack, Mike, Zach
>
> I like the presentation. Are these real examples or did you just make them
> up?
>
> About Code Obfuscation: Some of the obfuscation applied for Android is just
> a joke.
> Depending on what the attacker wants to achieve, it doesn't raise the bar at
> all.
> So maybe we could use "good" in front of the word "obfuscation"? --> Good
> obfuscation
> raises the bar
>
> About M9 Broken Crypto: What really annoys me is that a lot of developer use
> symmetric crypto (and store the key in the source code) when they could use
> asymmetric crypto (public key on device, private key on server) and would be
> on the good side (at least a MITM/network sniffer has no chance to decrypt).
> --> Use asymmetric crypto when server involved
>
> I did some Android Research, I'm talking about it in October and I got some
> scary real-world examples... so I could share these when my slides go online
> if your interested.
>
> Just my 0.02$ and thank you for the great work so far!
>
> cheers
> floyd
>
>
> -----
> http://www.floyd.ch
> twitter: floyd_ch
> ________________________________
> Von: Jack Mannino <jack at nvisiumsecurity.com>
> An: owasp-mobile-security-project at lists.owasp.org
> Gesendet: 18:50 Dienstag, 27.September 2011
> Betreff: [Owasp-mobile-security-project] Top 10 Risks Presentation
> I've posted the presentation that Mike Zusman, Zach Lanier, and myself gave
> at Appsec USA last week in Minneapolis.
>
> http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks
>
> The list is out in release candidate form, and we want to take the next 60
> days to refine it. Some risks may move up or down by the time we release
> the final version.
>
> Again, a top 10 list serves ONLY as a starting point. Our goals with the
> Top 10 are to: 1) promote awareness and 2) give teams somewhere to start
> when trying to write secure apps. By no means is the Top 10 a comprehensive
> framework for developing secure mobile apps. That part is what comes next
> =)
>
> If you have feedback, please post it to the list so we can keep a dialogue
> going amongst the group.
>
> Jack Mannino
> _______________________________________________
> Owasp-mobile-security-project mailing list
> Owasp-mobile-security-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-mobile-security-project
>
>
> _______________________________________________
> Owasp-mobile-security-project mailing list
> Owasp-mobile-security-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-mobile-security-project
>
>
>
> _______________________________________________
> Owasp-mobile-security-project mailing list
> Owasp-mobile-security-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-mobile-security-project
>
>
More information about the Owasp-mobile-security-project
mailing list