[Owasp-leaders] OWASP Mobile Top 10 - potential conflict of interest in M10

Jonathan Carter jonathan.carter at owasp.org
Tue Nov 4 20:08:44 UTC 2014


Trusted execution environments are one potential solution to this.  The
huge problem we've seen with the TEE approach is that no real widespread
adoption because of the hardware aspect.  There's a lot of bureaucracy that
has kept everyone from playing in the space.  Hence, things like Android's
Kitkat release introducing HCE as a viable alternative that frees you from
the hardware implications.

On Tue, Nov 4, 2014 at 12:03 PM, Andre Gironda <andreg at gmail.com> wrote:

>
> On Nov 4, 2014 10:53 AM, "Jonathan Carter" <jonathan.carter at owasp.org>
> wrote:
> >
> > Things have changed significantly over the past few years within
> mobile.  There are now a number of new design factors that force
> organizations to store, transmit, or process things that are extremely
> sensitive within mobile apps now. In more and more situations, sensitive
> code must exist within the mobile code. Here are some examples (off the top
> of my head) where sensitive code must exist on the mobile device: offline
> availability requirements, HCE, IoT interfaces, mobile banking, medical
> device interfaces, etc.
>
> These can also be implemented using FOSS trusted environments, such as
> Open-TEE.
>
> My suggestion would be to move the M10 language towards trusted execution
> environments.
>
> dre
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20141104/008ec720/attachment.html>


More information about the OWASP-Leaders mailing list