FREE TRIAL - hiips/JOCRKit.com
From: Eric Friedman
To: Srinivas Vedula
ce: GP Fasol Suen Lerouge (NN i Kumar
sce:
‘Subject: Re: slides for review
Attachments: Usecases_flo_diagrams key:
sent: 01/25/2016 03:38:38 PM 0000 (GMT)
1 anit do your Monde slot. Tuesday iso beter. Wednesday is ood at 1. But you don't need me to proceed.
Regarding your rogue app scenario: this is phishing. For ito ork, the phishar vould have to have compromised the APNS
sand key of the spoofed servic. That seems unlikely
Regarding review processes: please dont ever blieve that they accomplish anything tha would deter a sophisticated
attacker. consider them a wetvare rae imiting service and nothing more. Yas, they sometimes catch things, but you should
regard them as lt more than the equivalent ofthe TSA atthe airport. Their KP is how many apps can we get through the
pipe” and not what exotic exploits can we detect?”
Ec
>On Jan 24, 2016, at 1239 AM, Srinivas Vedula wrote:
>A,
> 1 have added new flow diagrams and use cases. Please review.
> booked a sit on August's calendar t update hin. | am thinking of moving it to Tuesday. Lat me know if you would
rather do ton Monday.
> Creating the use case for use on 0S brought up a question n today’s 0S apps.
> How do we handle the possibilty that a rogue app pretends to be a genuine app. Lats say a rogue app reversed al of
trade's login flows and implemented i in thei app. Essentially, til be proxy for e-rade. itil geninaly log you into
trade but wil just siphon the credentials whi doing so. That should be prety straightforward to do. If dene properly a user
can be ticked into downloading the app and giving he login info.
> Do you know how we deal ith t today? We havent seen an instance ie tht tl now. That is probably what the review
process is supposed o look at bu it wil be nic if ve have a technical solution ort We kind circumvented the
browsersHTTPs combination with binary apps.
>. Srinivas
PX-0251.1
CONFIDENTIAL APL-APPSTORE_ 09166610