[Owasp-leaders] OWASP Mobile Top 10 - potential conflict of interest in M10

Jonathan Carter jonathan.carter at owasp.org
Tue Nov 4 17:50:18 UTC 2014

Hi Andrew,

We hear this particular feedback about M10 quite a bit.  Let me explain M10
in a bit more detail and it will make more sense...

M10 raises a few important and prevalent issue within mobile development.
As you know, when you're dealing with languages that have a high degree of
metadata associated with the language (Java and Objective C), the
likelihood of successfully reverse engineering the mobile app is quite
good. An attacker can easily reverse engineer the code and quickly spot any
appsec related vulnerabilities to the backend. In response to this problem,
conventional wisdom says that you should simply avoid putting any sensitive
code on the mobile device that you would deem risky.  Treat the mobile app
code as 100% open for anyone to see.

Things have changed significantly over the past few years within mobile.
There are now a number of new design factors that force organizations to
store, transmit, or process things that are extremely sensitive within
mobile apps now. In more and more situations, sensitive code must exist
within the mobile code. Here are some examples (off the top of my head)
where sensitive code must exist on the mobile device: offline availability
requirements, HCE, IoT interfaces, mobile banking, medical device
interfaces, etc.

In light of this shift towards sensitive code existing on the phone, we
must now somehow reckon with the fact that the code can be reverse
engineered. Reverse engineering is typically the first step towards more
sophisticated binary attacks.

M10 recommends transitioning particularly sensitive parts of the code to C
or C++ and away from high-level languages.  Obfuscation of code is only
recommended for particularly sensitive things being done within the mobile
device.  On top of that, obfuscation alone has never been recommended as
the only response to these types of new risk.  Instead, think of it as
raising the bar and making it a lot more painful for a successful attack.

M10 does not advocate a particular technology and does not represent any
conflict of interest.  There are plenty of studies out there that
illustrate the prevalence and severity or risks related to reverse
engineering and binary modification for mobile devices.

On Mon, Nov 3, 2014 at 11:07 PM, Andrew van der Stock <vanderaj at owasp.org>

> Hi folks,
> I've had some feedback on Twitter about the OWASP Mobile Top 10.
> Number 10 includes a control that I don't believe is a sound security
> control (security through obfuscation). Coupled with the nature of the
> employers of those who contributed, all of whom have some form of
> obfuscation product, I'm really not comfortable that M10 is a sound
> control or the risk of binary analysis is so high that requires it (no
> other OWASP standard contains it!), and more to the point M10 has a
> strong appearance of conflict of interest.
> I know many of those involved in the project, and don't doubt for a
> second their honest desire to create actionable advice, but I am very
> concerned that the Mobile Top 10 has an obfuscation control written in
> by folks who sell obfuscation controls.
> Can we please see the research that demonstrates that binary analysis
> is one of the top threats to well written mobile code? I use it as a
> way to improve my client's apps, and obfuscation just makes my job
> harder, not the code safer.
> thanks
> Andrew
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20141104/46c83c95/attachment.html>

More information about the OWASP-Leaders mailing list