Comments on: Security By Obscurity http://iPhoneIncubator.com/blog/security/security-by-obscurity Tips and Tricks for iPhone, iPod, iPad and iOS Developers Sat, 28 Jan 2012 16:20:12 -0700 http://wordpress.org/?v=2.8.6 hourly 1 By: Nick http://iPhoneIncubator.com/blog/security/security-by-obscurity/comment-page-1#comment-2300 Nick Fri, 26 Feb 2010 19:27:13 +0000 http://iPhoneIncubator.com/blog/?p=91#comment-2300 @Greg: The headline should probably have included an qualifier, but I think the rest of the post made it pretty clear that "security by obscurity" should not be confused with real security by design. The linked Wikipedia entry goes into depth on this, including arguments for and against, and it references Kerckhoff's Principle several times. So let me state for the record: If you are designing an application that needs security, then don't use the technique discussed above. This of course includes any data that is related to financial information like credit cards, information that has any privacy implications, etc. If you just want to hide some information from public view, but are not concerned if anyone spends the necessary time and resources to find the information, then simply obscuring that information may be sufficient for your needs. @Greg: The headline should probably have included an qualifier, but I think the rest of the post made it pretty clear that “security by obscurity” should not be confused with real security by design. The linked Wikipedia entry goes into depth on this, including arguments for and against, and it references Kerckhoff’s Principle several times.

So let me state for the record: If you are designing an application that needs security, then don’t use the technique discussed above. This of course includes any data that is related to financial information like credit cards, information that has any privacy implications, etc. If you just want to hide some information from public view, but are not concerned if anyone spends the necessary time and resources to find the information, then simply obscuring that information may be sufficient for your needs.

]]> By: Greg Sparrow http://iPhoneIncubator.com/blog/security/security-by-obscurity/comment-page-1#comment-2245 Greg Sparrow Tue, 23 Feb 2010 03:23:04 +0000 http://iPhoneIncubator.com/blog/?p=91#comment-2245 I tend to cringe when I read post like this. Your readers should be aware that “Security by Obscurity” is not security. The scenario you present above is called obfuscation which does not provide any additional level of security. A secure system should be designed such that if someone knows everything about how the system works, it is still secure. Please see Kerckhoff’s Principle here: http://www.schneier.com/crypto-gram-0205.html\ I tend to cringe when I read post like this. Your readers should be aware that “Security by Obscurity” is not security. The scenario you present above is called obfuscation which does not provide any additional level of security. A secure system should be designed such that if someone knows everything about how the system works, it is still secure. Please see Kerckhoff’s Principle here: http://www.schneier.com/crypto-gram-0205.html\

]]>