[Owasp-leaders] Please root these devices (project and customer awareness)

dinis cruz dinis.cruz at owasp.org
Wed Nov 23 19:04:27 EST 2011


Hey, I know that there is a job board at the OWASP wiki, so sorry to post
this here, but this it is a cool opportunity and it raises
some interesting questions, so here it is....

I just got asked to see if I could recommend a good AppSec and
Reverse Engineer person to spend one month breaking the security of a
tablet (and another device) that is coming to a place near you next year.

The brief is quite an interesting one, since it basically says: *'...please
root this device, show how to install malicious apps on it without root,
and/or show how to extract encrypted content...'  *(so if you know somebody
or are interested please ping me directly)

What is interesting about this gig is the company that it is from. Usually
those corporate folks are bit more gentle and politically correct, but this
shows that these guys really want to know first the problems (which is a
nice evolution in our market). I have to say that 'finally' I have seen
more people/customers who want to be secure (vs being compliant or wanting
to been seen doing something about it).

It also shows how interconnected out day-to-day devices are becoming, and
how big a can of worms (from a security point of view) they can/will be.

Note how web app security is staring to be more and more dependent with the
devices that use it, for example, there could be a number of
vulnerabilities created by how the client/server exchanges occur (it would
be cool to root the device by tricking it into installing something via
an reflected exploit on the server, would we call that a 'Reflected
Root' vulnerability? :)   ) .

This also feels a lot like the 'return of the fat client', where the
vendors have so much control over the client's device that they extend the
attack surface to it (which could lead to a number of security decisions
being made on the wrong location).

What do you think?

Dinis Cruz

Blog: http://diniscruz.blogspot.com
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111124/10cf3992/attachment.html 


More information about the OWASP-Leaders mailing list