Having a look at the latest top ten
26 views
Skip to first unread message
Paco Hope
Jun 30, 2015, 6:36:05 AM6/30/15
to owasp-mobile...@owasp.org
Hey guys,
I’ve just had a look at the Scratchpad. I realise I’ve missed a few working sessions. We’ve strayed off the path again.
8 of these things are risks/problems the app developer might have done. Code tampering and reverse engineering are a things a bad guy might do. They are shades of the same issue, and I think they overrepresent it.
Do we want to say “Insecure app packaging” or “insecure mobile binary” or something like that? And what is the salient distinction between “code tampering” and “reverse engineering”? For example, are there findings from our data set that very clearly go in one of those categories and don’t make sense in the other? Are there remediations and things you’d do for the one risk that you simply wouldn’t do and wouldn’t make sense for the other? I know WE can make this distinction, but I’m not sure that’s sufficient motivation to separate them like that.
The new number 10 needs to be written carefully so that it doesn't hinge on the developer's intent. We don’t want to suggest that if they stored a password in the binary on purpose, that’s an M2 finding, but if they did it accidentally that’s an M10 finding. I think the trick is that our example for M10 should not reference concepts that very clearly belong in some other bucket (like passwords, keys, etc). We can reference debugging symbols, debug versions of the binary, test configurations, etc. But the two examples in the text as written are confusing because they should really be in M4 and M2 respectively (disabling 2FA and putting a password in a comment). The new M10 is a fine category, but I think we need to careful in our description.
Paco
I’ve just had a look at the Scratchpad. I realise I’ve missed a few working sessions. We’ve strayed off the path again.
8 of these things are risks/problems the app developer might have done. Code tampering and reverse engineering are a things a bad guy might do. They are shades of the same issue, and I think they overrepresent it.
Do we want to say “Insecure app packaging” or “insecure mobile binary” or something like that? And what is the salient distinction between “code tampering” and “reverse engineering”? For example, are there findings from our data set that very clearly go in one of those categories and don’t make sense in the other? Are there remediations and things you’d do for the one risk that you simply wouldn’t do and wouldn’t make sense for the other? I know WE can make this distinction, but I’m not sure that’s sufficient motivation to separate them like that.
The new number 10 needs to be written carefully so that it doesn't hinge on the developer's intent. We don’t want to suggest that if they stored a password in the binary on purpose, that’s an M2 finding, but if they did it accidentally that’s an M10 finding. I think the trick is that our example for M10 should not reference concepts that very clearly belong in some other bucket (like passwords, keys, etc). We can reference debugging symbols, debug versions of the binary, test configurations, etc. But the two examples in the text as written are confusing because they should really be in M4 and M2 respectively (disabling 2FA and putting a password in a comment). The new M10 is a fine category, but I think we need to careful in our description.
Paco
Milan Singh Thakur
Jul 3, 2015, 6:57:53 AM7/3/15
to owasp-mobile...@owasp.org, pa...@owasp.org
Hi Paco,
Good point here.
"Code tampering" is dependent on "reverse engineering" because if application can be reverse engineered and code is found to be in cleartext (not obfuscated), only then an attacker can Tamper the code by adding malicious snippet in it. This re-packed application thus becomes harmful.
So naming it “Insecure app packaging” or “insecure mobile binary” (as you have suggested) would be better.
We would need more discussion or examples on what has to be included in new M10.
Any other opinion from Team?
Regards,
Milan
Good point here.
"Code tampering" is dependent on "reverse engineering" because if application can be reverse engineered and code is found to be in cleartext (not obfuscated), only then an attacker can Tamper the code by adding malicious snippet in it. This re-packed application thus becomes harmful.
So naming it “Insecure app packaging” or “insecure mobile binary” (as you have suggested) would be better.
We would need more discussion or examples on what has to be included in new M10.
Any other opinion from Team?
Regards,
Milan
Amin Lalji
Jul 8, 2015, 7:21:58 AM7/8/15
to Milan Singh Thakur, Paco Hope, owasp-mobile...@owasp.org
Hi team,
I get the point of naming M10 appropriately - insecure app packaging or insecure mobile binary could work, however it only works well if the associated mitigation guidance works to adequately address/mitigate the stated technical risk.
While I'm a fan of code obfuscation as a good practice, the reality is the code can still be decompiled, and de-obfuscated, and really only a small bump in the road.
Anti-Tampering tech, Code encryption (e.g whitecryption, arxan) etc, should be included as guidance (the debate on naming vendors to be dealt with outside this thread)...
Amin
--
You received this message because you are subscribed to the Google Groups "OWASP Mobile Top 10 Risks" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-mobile-top-1...@owasp.org.
For more options, visit https://groups.google.com/a/owasp.org/d/optout.
Amin Lalji
Jul 8, 2015, 7:28:08 AM7/8/15
to Milan Singh Thakur, owasp-mobile...@owasp.org, Paco Hope
BTW: in regards to the code tampering/reversing issue...
Reversing is generally a first step in code tampering ... For this of you following the hacking team fiasco, they actually leveraged rooting and swapping out a clean version of WhatsApp for an evil version to snoop on their targets - obviously this is interesting problem to consider... Stealth/ undisclosed 0-day attacks generally will not be supported by volumetric data :)
Andrew Blaich
Jul 8, 2015, 10:43:29 AM7/8/15
to Amin Lalji, Milan Singh Thakur, owasp-mobile...@owasp.org, Paco Hope
Hijacking this thread for a moment.
What is the current schedule for the hangout meetings? I'm trying to clear up my calendar and want to remove old dates/times where we no longer meet.
Thanks,
Andrew
Paco Hope
Jul 8, 2015, 10:47:22 AM7/8/15
to owasp-mobile...@owasp.org
Good question, Andrew.
I plan to join one this evening/day/morning. It’s hard to know which invites (in which calendars) are stale and which are active.
Paco
I plan to join one this evening/day/morning. It’s hard to know which invites (in which calendars) are stale and which are active.
Paco
Milan Singh Thakur
Jul 8, 2015, 12:05:43 PM7/8/15
to Andrew Blaich, Jonathan Carter, Amin Lalji, owasp-mobile...@owasp.org, Paco Hope
Looping Jonathan...
This Hangout Meetings are confusing to many users w.r.t Dates/timings.
Jonathan Carter
Jul 9, 2015, 1:26:02 AM7/9/15
to Paco Hope, owasp-mobile...@owasp.org
I will re-issue the hangout invites again so we're all back on the same schedule. The idea is that we have a monthly summary meeting and a bi-weekly working group session.
Reply all
Reply to author
Forward
0 new messages