[Owasp-leaders] OWASP Mobile Top 10 - potential conflict of interest in M10

Jonathan Carter jonathan.carter at owasp.org
Tue Nov 4 18:00:21 UTC 2014


No one is advocating for a obfuscation-centric defense by any means. As
stated before, security through obscurity *alone* is not a valid defense.

On Tue, Nov 4, 2014 at 1:19 AM, Jim Manico <jim.manico at owasp.org> wrote:

> Obfuscation just slows the attacker from finding hard-coded secrets, it
> does not stop them. This is why I personally think these
> obfuscation-centric defenses do not belong in any developer-centric top
> ten, nor should they be used as an excuse to mask horrifically bad
> practices like hard coded secrets.
>
> >  Code that is not obfuscated can also be easily abused to create rogue
> malicious apps, especially for Android.
>
> Now this IS a good reason to use obfuscation technology, but again, it's
> not a savior only a speed bump. The only way to really stop rogue
> applications is to monitor various app stores and report them in a timely
> fashion, unfortunately.
>
> My 2 idealistic cents,
> - Jim
>
>
> On 11/4/14 3:58 PM, Erwin Geirnaert wrote:
>
>> Hi Andrew,
>>
>> If mobile code is not obfuscated it can be a starting point to detect
>> hard-coded secrets.
>> Code that is not obfuscated can also be easily abused to create rogue
>> malicious apps, especially for Android.
>>
>> So I think it should be there.
>>
>> Best regards,
>>
>> Erwin
>>
>> -----Original Message-----
>> From: owasp-leaders-bounces at lists.owasp.org [mailto:
>> owasp-leaders-bounces at lists.owasp.org] On Behalf Of Andrew van der Stock
>> Sent: 04 November 2014 08:07
>> To: owasp-leaders at lists.owasp.org
>> Subject: [Owasp-leaders] OWASP Mobile Top 10 - potential conflict of
>> interest in M10
>>
>> Hi folks,
>>
>> I've had some feedback on Twitter about the OWASP Mobile Top 10.
>> Number 10 includes a control that I don't believe is a sound security
>> control (security through obfuscation). Coupled with the nature of the
>> employers of those who contributed, all of whom have some form of
>> obfuscation product, I'm really not comfortable that M10 is a sound control
>> or the risk of binary analysis is so high that requires it (no other OWASP
>> standard contains it!), and more to the point M10 has a strong appearance
>> of conflict of interest.
>>
>> I know many of those involved in the project, and don't doubt for a
>> second their honest desire to create actionable advice, but I am very
>> concerned that the Mobile Top 10 has an obfuscation control written in by
>> folks who sell obfuscation controls.
>>
>> Can we please see the research that demonstrates that binary analysis is
>> one of the top threats to well written mobile code? I use it as a way to
>> improve my client's apps, and obfuscation just makes my job harder, not the
>> code safer.
>>
>> thanks
>> Andrew
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20141104/85465948/attachment.html>


More information about the OWASP-Leaders mailing list