[Owasp-leaders] OWASP Mobile Top Ten 2014 - M10 Datapoints

Andre Gironda andreg at gmail.com
Wed Nov 5 12:17:33 UTC 2014


On Nov 5, 2014 4:34 AM, "Jonathan Carter" <jonathan.carter at owasp.org> wrote:
> Distribution of modifications is a whole other kettle of fish. There's a
number of different means that attackers distribute changes.  Typically,
they'll modify, repackage, and then distribute via either iTunes, Google
Play, or third-party stores. There's also the avenue of direct infection.
Which then goes into the runtime self-modification detection side of life.

If you want to talk brand preservation, then you need to recommend
discovery and takedown services. You keep rehashing the same arguments.

In the world of rogue app prevention, software protection has been shown to
provide negative value. I used to work for a video game company whose
games' binaries would show up in various places including popular torrent
sites, often modified with spyware, BEFORE any official release. Software
protection only works if you can guarantee breachless distribution and even
then it only can withstand a 3-day level of effort when RU or CN reversing
forums decide to get involved. These reversers work for the price of one
copy. This is a zero sum game.

It is not a preventative control, and like most information risk loss
events, losses from rogue apps (including intangibles such as brand) are
best handled by detective and responsive controls. Software protection can
be used as a deceptive control (aka denial), but this is the realm of law
enforcement or military, not Snapchat Inc. You'd have to estimate costs
under a variety of scenarios, and unfortunately I know you will get this
wrong for every potential software protection customer. Is it snake oil?
No, but it is snake oil the way that it is marketed and sold. If you want
to implement it cost-effectively, I suggest using a model like FAIR,
although that is just a starting point. You will need to do much more, such
as including experts on denial and deception that natively challenge
assumptions and understand the weaknesses through red teaming analysis.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20141105/45c67f46/attachment.html>


More information about the OWASP-Leaders mailing list