[Owasp-leaders] OWASP Mobile Top 10 - potential conflict of interest in M10

Jonathan Carter jonathan.carter at owasp.org
Tue Nov 4 17:53:51 UTC 2014


There have been some excellent studies done that show the prominence of
hardcoded secrets in the string tables of mobile apps. I would argue that
hardcoded secrets shouldn't exist in the first place.  However, as I
mentioned in the other thread, there are plenty of scenarios where it's
simply not possible to avoid this.  I agree with what you are stating

You also stated that rogue versions of apps are possible as a result.  This
is another excellent point.  There was a study recently conducted that
shows that *nearly 1/4 of all Google Play apps have been cloned and made
into malicious versions* on third party sites.

On Mon, Nov 3, 2014 at 11:58 PM, Erwin Geirnaert <
erwin.geirnaert at zionsecurity.com> wrote:

> Hi Andrew,
>
> If mobile code is not obfuscated it can be a starting point to detect
> hard-coded secrets.
> Code that is not obfuscated can also be easily abused to create rogue
> malicious apps, especially for Android.
>
> So I think it should be there.
>
> Best regards,
>
> Erwin
>
> -----Original Message-----
> From: owasp-leaders-bounces at lists.owasp.org [mailto:
> owasp-leaders-bounces at lists.owasp.org] On Behalf Of Andrew van der Stock
> Sent: 04 November 2014 08:07
> To: owasp-leaders at lists.owasp.org
> Subject: [Owasp-leaders] OWASP Mobile Top 10 - potential conflict of
> interest in M10
>
> Hi folks,
>
> I've had some feedback on Twitter about the OWASP Mobile Top 10.
> Number 10 includes a control that I don't believe is a sound security
> control (security through obfuscation). Coupled with the nature of the
> employers of those who contributed, all of whom have some form of
> obfuscation product, I'm really not comfortable that M10 is a sound control
> or the risk of binary analysis is so high that requires it (no other OWASP
> standard contains it!), and more to the point M10 has a strong appearance
> of conflict of interest.
>
> I know many of those involved in the project, and don't doubt for a second
> their honest desire to create actionable advice, but I am very concerned
> that the Mobile Top 10 has an obfuscation control written in by folks who
> sell obfuscation controls.
>
> Can we please see the research that demonstrates that binary analysis is
> one of the top threats to well written mobile code? I use it as a way to
> improve my client's apps, and obfuscation just makes my job harder, not the
> code safer.
>
> thanks
> Andrew
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20141104/ac35242a/attachment.html>


More information about the OWASP-Leaders mailing list