Hi team,
I get the point of naming M10 appropriately - insecure app packaging or insecure mobile binary could work, however it only works well if the associated mitigation guidance works to adequately address/mitigate the stated technical risk.
While I'm a fan of code obfuscation as a good practice, the reality is the code can still be decompiled, and de-obfuscated, and really only a small bump in the road.
Anti-Tampering tech, Code encryption (e.g whitecryption, arxan) etc, should be included as guidance (the debate on naming vendors to be dealt with outside this thread)...
Amin
--
You received this message because you are subscribed to the Google Groups "OWASP Mobile Top 10 Risks" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-mobile-top-1...@owasp.org.
For more options, visit https://groups.google.com/a/owasp.org/d/optout.
BTW: in regards to the code tampering/reversing issue...
Reversing is generally a first step in code tampering ... For this of you following the hacking team fiasco, they actually leveraged rooting and swapping out a clean version of WhatsApp for an evil version to snoop on their targets - obviously this is interesting problem to consider... Stealth/ undisclosed 0-day attacks generally will not be supported by volumetric data :)