On Thu, Jul 24, 2014 at 10:06 AM, Stephan Neuhaus < stephan.neuhaus@tik.ee.ethz.ch> wrote:
So if I mention to you that a certain app just happens to run on a smartphone, your Spidey-sense would be tingling, no matter if the app has had excellent threat modelling, code audit etc?
I'd treat it as an indicator, not a certainty. All of stef's rules are indicators, where any one could be raised without the application being a problem. The more that get raised, the more likely the app is snake oil. It's like personnel security -- an employee gambling is not necessarily a problem, but it can indicate a potential security risk. And it's like diagnosing medical or psychiatric conditions -- a lack of empathy for other humans might not mean anything, but it's an indicator for psychopathy. Regarding the security app indicators, good job, stef. And I'll add one: "10000000000-bit encryption!!!!" -- Neca eos omnes. Deus suos agnoscet. -- Arnaud-Amaury, 1209