[theptip]

It's standard operating procedure to elide the details of one's security posture.

Would you expect Google's security team to provide a detailed list of all of the security procedures in place to prevent access to their network?

Rejecting "security through obscurity" just means you shouldn't rely on obscurity alone. Obscurity + good security > good security alone, since it increases the threshold of time and ability that any attacker would need to bring to an attack.

[weaksauce]

I saw a bit of a talk by a google engineer that laid out their overall strategy for securing the android app ecosystem. I don't think it's a hard and fast rule.

[FunnyLookinHat]

Yeah, you make a good point. I'm not outright rejecting keeping your secrets close, but it doesn't instill a lot of confidence for me.

After left-pad I think we'd all like to see a strong, well documented methodology to keep things like this from happening again. The broad strokes can't be any more clever than what the rest of us would expect, so why not at least provide a basic idea of what you're doing and then we could trust the system a bit more.