[Owasp-leaders] OWASP Mobile Top 10 - potential conflict of interest in M10

Gunnar Peterson gunnar at arctecgroup.net
Tue Nov 4 14:46:24 UTC 2014


To add onto to Erwin's point I do think there is something to be said for obfuscation. Its totally true that even if its worth considering- its security, but not as we've known it, Jim.

However, I think Mobile clients are different from defending servers. The good ol' DMZ model where we do not trust clients does not give us much to work with on mobile clients. My take is that we need a new playbook for mobile clients and that requires a different mindset from the DMZ. I propose Moscow Rules, from the old Cold war rules to operate behind enemy lines(1). The DMZ assumed a level of separation that is not possible on the client side. Instead of separation we need to do things like vary our pattern.  Which brings us back to obfuscation. 

Its security 101, that obfuscation is only a speed bump. But there is one additional benefit that we can get from it, and that is limiting failure. If client code is obfuscated on a per instance or per user basis, then any single client can be busted, but getting a single attack to work across an array of many clients with unique obfuscation routines is substantially more difficult. Sort of like RAID, redundant array of inexpensive of obfuscated speed bumps. There is some value worth considering for defenders to limit the reach of any single attack against all your users. Or said differently, the speed bump does not protect the instance itself so much as the combined effect limits the break of one app cascading across all the apps and all the users.

-gunnar

1. Moscow Rules stuff is in the middle - http://1raindrop.typepad.com/1_raindrop/2014/05/cloud-security-defending-the-new-corporate-perimeter.html

On Nov 4, 2014, at 1:58 AM, Erwin Geirnaert wrote:

> Hi Andrew,
> 
> If mobile code is not obfuscated it can be a starting point to detect hard-coded secrets.
> Code that is not obfuscated can also be easily abused to create rogue malicious apps, especially for Android.
> 
> So I think it should be there.
> 
> Best regards,
> 
> Erwin
> 
> -----Original Message-----
> From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Andrew van der Stock
> Sent: 04 November 2014 08:07
> To: owasp-leaders at lists.owasp.org
> Subject: [Owasp-leaders] OWASP Mobile Top 10 - potential conflict of interest in M10
> 
> Hi folks,
> 
> I've had some feedback on Twitter about the OWASP Mobile Top 10.
> Number 10 includes a control that I don't believe is a sound security control (security through obfuscation). Coupled with the nature of the employers of those who contributed, all of whom have some form of obfuscation product, I'm really not comfortable that M10 is a sound control or the risk of binary analysis is so high that requires it (no other OWASP standard contains it!), and more to the point M10 has a strong appearance of conflict of interest.
> 
> I know many of those involved in the project, and don't doubt for a second their honest desire to create actionable advice, but I am very concerned that the Mobile Top 10 has an obfuscation control written in by folks who sell obfuscation controls.
> 
> Can we please see the research that demonstrates that binary analysis is one of the top threats to well written mobile code? I use it as a way to improve my client's apps, and obfuscation just makes my job harder, not the code safer.
> 
> thanks
> Andrew
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 



More information about the OWASP-Leaders mailing list