search

AndroidVTS / android-vts

Android Vulnerability Test Suite - In the spirit of open data collection, and with the help of the community, let's take a pulse on the state of Android security. NowSecure presents an on-device app to test for recent device vulnerabilities.
Other
1.02k stars 272 forks source link

Found the issues - and now, WHAT? #37

Closed trattnerE closed 9 years ago

trattnerE commented 9 years ago

Great app for pointing to possible vulnerabilities.

Would be even greater if, for each vulnerability found, clicking on the vulnerability's description line would bring up more info about it as well as possible solutions to prevent its being exploited (try Secunia's PSI on your PC to see what I mean),

Thanks in advance for a prompt & positive attention to this matter,

Sincerely,

Eric Trattner

Fuzion24 commented 9 years ago

Eric,

A couple things: They are just vulnerabilities, not just "possible vulnerabilities". There is already an issue opened about adding more contextual information / maybe attempting to estimate the impact to each vulnerability check: https://github.com/nowsecure/android-vts/issues/29

As far as remediations, you, unfortunately, have very few options: 1) Purchase only Nexus devices 2) Install a third party rom like Cyanogenmod on your device

The one of the primary purposes of this test suite is to bring awareness to the poor job that OEMs do in terms of security. Including both the ability to patch bugs that affect Android and their lack of control in adding bloat/features which have proven to be very buggy in the past and greatly increase the attack surface of devices.

Cheers, Ryan

trattnerE commented 9 years ago

Hello Ryan,

Thanks for the very prompt & clear reply.

To address your remarks:

  1. Thread #29: it only asks for more info, but not for means of dealing with the open vulnerability;
  2. What to do: in the PC World, wherever vulnerabilities are found, either the OS maker patches them, or 3rd party products mask them, or manual modifications (though – at times – dangerous in their own right) are suggested (or any combination of these) to close the vulnerability or work around it. I simply hoped that such suggestions might be available for the Android too (actually, having Norton Security installed on my Samsung G800F, I was quite surprised to see that VTS found some vulnerabilities …)

Hope this helps.

Thanks again,

Eric

From: Ryan Welton [mailto:notifications@github.com] Sent: Thursday, November 05, 2015 23:37 To: nowsecure/android-vts Cc: trattnerE Subject: Re: [android-vts] Found the issues - and now, WHAT? (#37)

Eric,

A couple things: They are just vulnerabilities, not just "possible vulnerabilities". There is already an issue opened about adding more contextual information / maybe attempting to estimate the impact to each vulnerability check: #29 https://github.com/nowsecure/android-vts/issues/29

As far as remediations, you, unfortunately, have very few options: 1) Purchase only Nexus devices 2) Install a third party rom like Cyanogenmod http://www.cyanogenmod.org/ on your device

The one of the primary purposes of this test suite is to bring awareness to the poor job that OEMs do in terms of security. Including both the ability to patch bugs that affect Android and their lack of control in adding bloat/features which have proven to be very buggy in the past and greatly increase the attack surface of devices.

Cheers, Ryan

— Reply to this email directly or view it on GitHub https://github.com/nowsecure/android-vts/issues/37#issuecomment-154200399 . https://github.com/notifications/beacon/AO86sHNJZWhclNr2tqEQxPZnGUxxdnftks5pC8N9gaJpZM4Gc8HH.gif

Fuzion24 commented 9 years ago

@trattnerE Norton (and every other anti-virus out there) do generally nothing to show you how vulnerable your device is. They often rely on very primitive techniques (checking the application name or equivalent) to identify 'malware'. The value add-on on these applications is almost always negative.

As for remediations, your options are to install a third party ROM which does not contain buggy OEM code, in your case Samsung's. Or opt for a device that is 'cleaner' and more frequently patched like the Nexus devices. Unfortunately, there are really no other options.

The techniques that you are mentioning of 'hot patching' the device have been attempted in the past: https://play.google.com/store/apps/details?id=io.rekey.rekey&hl=en but are fragile and have a potential for disaster.

trattnerE commented 8 years ago

Dear Ryan,

Thanks again for your reply & clarification.

One further question though: earlier today I checked all the apps installed on my Smartphone via VirusTotal – I was shocked to see that the one and only app marked as malware by some 19 (nineteen!) of the scanners was “VTS for Android”!

What is going on here? After all, this app should notify that vulnerabilities are around, and not become a liability by itself …

Kindly enlighten.

Thanks again for your attention to this matter,

Cordially,

Eric

From: Ryan Welton [mailto:notifications@github.com] Sent: Friday, November 06, 2015 01:18 To: nowsecure/android-vts Cc: trattnerE Subject: Re: [android-vts] Found the issues - and now, WHAT? (#37)

@trattnerE https://github.com/trattnerE Norton (and every other anti-virus out there) do generally nothing to show you how vulnerable your device is. They often rely on very primitive techniques (checking the application name or equivalent) to identify 'malware'. The value add-on on these applications is almost always negative.

As for remediations, your options are to install a third party ROM which does not contain buggy OEM code, in your case Samsung's. Or opt for a device that is 'cleaner' and more frequently patched like the Nexus devices. Unfortunately, there are really no other options.

The techniques that you are mentioning of 'hot patching' the device have been attempted in the past: https://play.google.com/store/apps/details?id=io.rekey.rekey https://play.google.com/store/apps/details?id=io.rekey.rekey&hl=en &hl=en but are fragile and have a potential for disaster.

— Reply to this email directly or view it on GitHub https://github.com/nowsecure/android-vts/issues/37#issuecomment-154226864 . https://github.com/notifications/beacon/AO86sJF4p-mbUwvxXvSS_GI4b7DLshsUks5pC9sdgaJpZM4Gc8HH.gif

dweinstein commented 8 years ago

I think that goes to show you the value of virus scanners. They are rife with false positives and negatives.

trattnerE commented 8 years ago

Well David,

While the Scanners might indeed not be perfect (though they do provide some fair protection to millions of users, and they surely are better than no protection at all), wherever false positives / negatives arise it’s common practice to let the scanners’ vendors know so, to enable them improve their detection.

I guess this should be no different for the VTS app (clearly, it will gain more trust from potential users, if it would not be highlighted by so many AV scanners …)

All the best,

Eric

From: David Weinstein [mailto:notifications@github.com] Sent: Sunday, December 06, 2015 17:46 To: nowsecure/android-vts Cc: trattnerE Subject: Re: [android-vts] Found the issues - and now, WHAT? (#37)

I think that goes to show you the value of virus scanners. They are rife with false positives and negatives.

— Reply to this email directly or view it on GitHub https://github.com/nowsecure/android-vts/issues/37#issuecomment-162324495 . https://github.com/notifications/beacon/AO86sIOLreSGxFkLlqXV56QifuSR7h8Rks5pNE-wgaJpZM4Gc8HH.gif