[Owasp-leaders] OWASP Mobile Top 10 - potential conflict of interest in M10

Arturo 'Buanzo' Busleiman buanzo at buanzo.com.ar
Tue Nov 4 13:07:25 UTC 2014


If obfuscation is part of an OPEN group's suggestions then something really
wrong happened.
 On Nov 4, 2014 8:02 AM, "Eoin Keary" <eoin.keary at owasp.org> wrote:

> Lets avoid hard coded secrets so 😜
>
> Sent from my iPhone
>
> > On 4 Nov 2014, at 09:19, Jim Manico <jim.manico at owasp.org> wrote:
> >
> > Obfuscation just slows the attacker from finding hard-coded secrets, it
> does not stop them. This is why I personally think these
> obfuscation-centric defenses do not belong in any developer-centric top
> ten, nor should they be used as an excuse to mask horrifically bad
> practices like hard coded secrets.
> >
> > >  Code that is not obfuscated can also be easily abused to create rogue
> malicious apps, especially for Android.
> >
> > Now this IS a good reason to use obfuscation technology, but again, it's
> not a savior only a speed bump. The only way to really stop rogue
> applications is to monitor various app stores and report them in a timely
> fashion, unfortunately.
> >
> > My 2 idealistic cents,
> > - Jim
> >
> >> On 11/4/14 3:58 PM, Erwin Geirnaert wrote:
> >> Hi Andrew,
> >>
> >> If mobile code is not obfuscated it can be a starting point to detect
> hard-coded secrets.
> >> Code that is not obfuscated can also be easily abused to create rogue
> malicious apps, especially for Android.
> >>
> >> So I think it should be there.
> >>
> >> Best regards,
> >>
> >> Erwin
> >>
> >> -----Original Message-----
> >> From: owasp-leaders-bounces at lists.owasp.org [mailto:
> owasp-leaders-bounces at lists.owasp.org] On Behalf Of Andrew van der Stock
> >> Sent: 04 November 2014 08:07
> >> To: owasp-leaders at lists.owasp.org
> >> Subject: [Owasp-leaders] OWASP Mobile Top 10 - potential conflict of
> interest in M10
> >>
> >> Hi folks,
> >>
> >> I've had some feedback on Twitter about the OWASP Mobile Top 10.
> >> Number 10 includes a control that I don't believe is a sound security
> control (security through obfuscation). Coupled with the nature of the
> employers of those who contributed, all of whom have some form of
> obfuscation product, I'm really not comfortable that M10 is a sound control
> or the risk of binary analysis is so high that requires it (no other OWASP
> standard contains it!), and more to the point M10 has a strong appearance
> of conflict of interest.
> >>
> >> I know many of those involved in the project, and don't doubt for a
> second their honest desire to create actionable advice, but I am very
> concerned that the Mobile Top 10 has an obfuscation control written in by
> folks who sell obfuscation controls.
> >>
> >> Can we please see the research that demonstrates that binary analysis
> is one of the top threats to well written mobile code? I use it as a way to
> improve my client's apps, and obfuscation just makes my job harder, not the
> code safer.
> >>
> >> thanks
> >> Andrew
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20141104/5f551c26/attachment.html>


More information about the OWASP-Leaders mailing list