[Owasp-leaders] OWASP Mobile Top 10 - potential conflict of interest in M10

Jason Haddix jason.haddix at owasp.org
Tue Nov 4 19:12:16 UTC 2014


Hello All (and thank you Jack for the vote of confidence),

We have definitely had some spirited debate on the category! We are meeting
to discuss it again this Thursday.  The community has spoken, though, and
most likely the outcome will be to remove m10 and replace it with the old
m10:


   - M10: Sensitive Information Disclosure
   <https://www.owasp.org/index.php/Mobile_Top_10_2012-M10>


One thing we will struggle with is where the *original idea* for m10 came
from. Two widely distributed whitepapers on pentesting ios and
android applications (MDsec and iOActive) cite the vulns of:


   - iOS: not enabling PIE
   - iOS not enabling Stack Smashing protection
   - iOS: not removing symbols/path info
   - iOS: not using ARC


Since these papers/presos were among the 1st to teach our community how to
test, these issues were rampant. We also saw a large influx of


   - Lack of Proguard usage on Android
   - Lack of Cert Pinning
   - Lack of Jailbreak/root/debugging protections


So we made m10. Then somewhere along the line m10 was changed and no longer
represented the original ideas. What we want to focus on is community
exposure, and even if m10 is valid (or the above vulns are) it's not good
for so many of our peers to be flaming the project on twitter (which is
pretty unprofessional btw). Anyways. What would you suggest we do with the
above?

Also to the OWASP veterans: We are proposing to remove m10 right away
instead of waiting till 2015's version of the MTT (which we have already
started soliciting data for).  Do you think this precedent is ok? or is it
more pertinent to wait since some people are using the list as-is and mid
cycle change could disrupt policy created from the current list?

On Tue, Nov 4, 2014 at 10:00 AM, Jonathan Carter <jonathan.carter at owasp.org>
wrote:

> No one is advocating for a obfuscation-centric defense by any means. As
> stated before, security through obscurity *alone* is not a valid defense.
>
> On Tue, Nov 4, 2014 at 1:19 AM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> Obfuscation just slows the attacker from finding hard-coded secrets, it
>> does not stop them. This is why I personally think these
>> obfuscation-centric defenses do not belong in any developer-centric top
>> ten, nor should they be used as an excuse to mask horrifically bad
>> practices like hard coded secrets.
>>
>> >  Code that is not obfuscated can also be easily abused to create rogue
>> malicious apps, especially for Android.
>>
>> Now this IS a good reason to use obfuscation technology, but again, it's
>> not a savior only a speed bump. The only way to really stop rogue
>> applications is to monitor various app stores and report them in a timely
>> fashion, unfortunately.
>>
>> My 2 idealistic cents,
>> - Jim
>>
>>
>> On 11/4/14 3:58 PM, Erwin Geirnaert wrote:
>>
>>> Hi Andrew,
>>>
>>> If mobile code is not obfuscated it can be a starting point to detect
>>> hard-coded secrets.
>>> Code that is not obfuscated can also be easily abused to create rogue
>>> malicious apps, especially for Android.
>>>
>>> So I think it should be there.
>>>
>>> Best regards,
>>>
>>> Erwin
>>>
>>> -----Original Message-----
>>> From: owasp-leaders-bounces at lists.owasp.org [mailto:
>>> owasp-leaders-bounces at lists.owasp.org] On Behalf Of Andrew van der Stock
>>> Sent: 04 November 2014 08:07
>>> To: owasp-leaders at lists.owasp.org
>>> Subject: [Owasp-leaders] OWASP Mobile Top 10 - potential conflict of
>>> interest in M10
>>>
>>> Hi folks,
>>>
>>> I've had some feedback on Twitter about the OWASP Mobile Top 10.
>>> Number 10 includes a control that I don't believe is a sound security
>>> control (security through obfuscation). Coupled with the nature of the
>>> employers of those who contributed, all of whom have some form of
>>> obfuscation product, I'm really not comfortable that M10 is a sound control
>>> or the risk of binary analysis is so high that requires it (no other OWASP
>>> standard contains it!), and more to the point M10 has a strong appearance
>>> of conflict of interest.
>>>
>>> I know many of those involved in the project, and don't doubt for a
>>> second their honest desire to create actionable advice, but I am very
>>> concerned that the Mobile Top 10 has an obfuscation control written in by
>>> folks who sell obfuscation controls.
>>>
>>> Can we please see the research that demonstrates that binary analysis is
>>> one of the top threats to well written mobile code? I use it as a way to
>>> improve my client's apps, and obfuscation just makes my job harder, not the
>>> code safer.
>>>
>>> thanks
>>> Andrew
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
Jason Haddix
OWASP Mobile Top Ten Project Leader
Mobile Security Researcher
(805) 698 2885
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20141104/c6e1082c/attachment-0002.html>


More information about the OWASP-Leaders mailing list