[Owasp-leaders] OWASP Mobile Top 10 - potential conflict of interest in M10

Venkatesh Jagannathan venki at owasp.org
Tue Nov 4 13:22:13 UTC 2014


By the same logic then may be we should prescribe code  obfuscation for all
libraries too. Because any library can be decompiled.
My thoughts: Instead of code obfuscation, I think we have to think about
more code execution and direct access peotection. What I mean is this: The
compiled code must not be accssible directly through the file system once
deployed in the device but protectes from access except for sandboxed
execurion on the device memory.
I know I may not be opening the.discussion thread in a different direction
but could not help it.
Thanks & Regards e
~Venki
On Nov 4, 2014 6:38 PM, "Arturo 'Buanzo' Busleiman" <buanzo at buanzo.com.ar>
wrote:

> If obfuscation is part of an OPEN group's suggestions then something
> really wrong happened.
>  On Nov 4, 2014 8:02 AM, "Eoin Keary" <eoin.keary at owasp.org> wrote:
>
>> Lets avoid hard coded secrets so 😜
>>
>> Sent from my iPhone
>>
>> > On 4 Nov 2014, at 09:19, Jim Manico <jim.manico at owasp.org> wrote:
>> >
>> > Obfuscation just slows the attacker from finding hard-coded secrets, it
>> does not stop them. This is why I personally think these
>> obfuscation-centric defenses do not belong in any developer-centric top
>> ten, nor should they be used as an excuse to mask horrifically bad
>> practices like hard coded secrets.
>> >
>> > >  Code that is not obfuscated can also be easily abused to create
>> rogue malicious apps, especially for Android.
>> >
>> > Now this IS a good reason to use obfuscation technology, but again,
>> it's not a savior only a speed bump. The only way to really stop rogue
>> applications is to monitor various app stores and report them in a timely
>> fashion, unfortunately.
>> >
>> > My 2 idealistic cents,
>> > - Jim
>> >
>> >> On 11/4/14 3:58 PM, Erwin Geirnaert wrote:
>> >> Hi Andrew,
>> >>
>> >> If mobile code is not obfuscated it can be a starting point to detect
>> hard-coded secrets.
>> >> Code that is not obfuscated can also be easily abused to create rogue
>> malicious apps, especially for Android.
>> >>
>> >> So I think it should be there.
>> >>
>> >> Best regards,
>> >>
>> >> Erwin
>> >>
>> >> -----Original Message-----
>> >> From: owasp-leaders-bounces at lists.owasp.org [mailto:
>> owasp-leaders-bounces at lists.owasp.org] On Behalf Of Andrew van der Stock
>> >> Sent: 04 November 2014 08:07
>> >> To: owasp-leaders at lists.owasp.org
>> >> Subject: [Owasp-leaders] OWASP Mobile Top 10 - potential conflict of
>> interest in M10
>> >>
>> >> Hi folks,
>> >>
>> >> I've had some feedback on Twitter about the OWASP Mobile Top 10.
>> >> Number 10 includes a control that I don't believe is a sound security
>> control (security through obfuscation). Coupled with the nature of the
>> employers of those who contributed, all of whom have some form of
>> obfuscation product, I'm really not comfortable that M10 is a sound control
>> or the risk of binary analysis is so high that requires it (no other OWASP
>> standard contains it!), and more to the point M10 has a strong appearance
>> of conflict of interest.
>> >>
>> >> I know many of those involved in the project, and don't doubt for a
>> second their honest desire to create actionable advice, but I am very
>> concerned that the Mobile Top 10 has an obfuscation control written in by
>> folks who sell obfuscation controls.
>> >>
>> >> Can we please see the research that demonstrates that binary analysis
>> is one of the top threats to well written mobile code? I use it as a way to
>> improve my client's apps, and obfuscation just makes my job harder, not the
>> code safer.
>> >>
>> >> thanks
>> >> Andrew
>> >> _______________________________________________
>> >> OWASP-Leaders mailing list
>> >> OWASP-Leaders at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >> _______________________________________________
>> >> OWASP-Leaders mailing list
>> >> OWASP-Leaders at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >
>> > _______________________________________________
>> > OWASP-Leaders mailing list
>> > OWASP-Leaders at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20141104/538734cb/attachment.html>


More information about the OWASP-Leaders mailing list