Re: Feedback from OWASP on Mobile Web Application Best Practices, W3C Working Draft 13 July 2010 ( LC-2412)

 Dear David Campbell ,

The Mobile Web Best Practices Working Group has reviewed the comments you
sent [1] on the Last Call Working Draft [2] of the Mobile Web Application
Best Practices published on 13 Jul 2010. Thank you for having taken the
time to review the document and to send us comments!

The Working Group's response to your comment is included below, and has
been implemented in the new version of the document available at:
http://www.w3.org/2005/MWI/BPWG/Group/Drafts/BestPractices-2.0/latest.

Please review it carefully and let us know by email at
public-bpwg-comments@w3.org if you agree with it or not before 14 September
2010 (if possible, simply tell us if you need more time). In case of
disagreement, you are requested to provide a specific solution for or a
path to a consensus with the Working Group. If such a consensus cannot be
achieved, you will be given the opportunity to raise a formal objection
which will then be reviewed by the Director during the transition of this
document to the next stage in the W3C Recommendation Track.

Thanks,

For the Mobile Web Best Practices Working Group,
Dominique Hazaël-Massieux
François Daoust
W3C Staff Contacts

 1. http://www.w3.org/mid/4C5B37FA.6000206@owasp.org
 2. http://www.w3.org/TR/2010/WD-mwabp-20100713/


=====

Your comment on the document as a whole:
> Dear Sir or Madam:
> 
> I represent the Global Industry Committee of the Open Web Application
> Security Project (OWASP) and we are keenly interested in your
> forthcoming Mobile Web Application Best Practices recommendation.
> 
> Attached please find a PDF document containing our comments on your
> draft recommendation.
> 
> Please feel free to contact me directly with any questions, comments
> or
> concerns.
> 
> Cheers,
> 
> David Campbell
> Open Web Application Security Project
> dcampbell@owasp.org
> www.owasp.org


Working Group Resolution (LC-2412):
The group partially agrees with the comment.

The Mobile Web Application Best Practices is explicitly scoped to best
practices that have some specific impact on the mobile context:
 http://www.w3.org/TR/mwabp/#mobile-context

The Working Group acknowledges that most "desktop" security-related best
practices also apply to mobile devices and updated the introduction text of
the "Security and Privacy" section to reflect that the one best practice
listed in that section is definitely not the end of it. The Working Group
has also decided to reference the OWASP TOP 10 work as example of usual
security measures in this text. See updated text in latest editor's draft:

http://www.w3.org/2005/MWI/BPWG/Group/Drafts/BestPractices-2.0/latest#bp-security


The group does not feel it has the expertise to review and select other
best practices related to security and decided against adding more best
practices to the section. A future version of the best practices should
probably include a more comprehensive set of best practices related to
security.

The best practice listed in this category was chosen on the grounds that
it was the most obvious client-side security hole to bridge in a mobile Web
application that might have access to personal information. In particular,
a mobile Widget could perhaps be allowed to send SMS or make phone calls
while the device is connected to an "untrusted" public Wifi connection,
thus enabling potential man-in-the-middle attacks.


----

Received on Tuesday, 7 September 2010 14:21:05 UTC