Open StephenQuirolgico opened 4 years ago
richardPang517
commented
4 years ago I'm also using androwarn to anlyze apks for now , and notice you said other android static analyzers can support CVSS. I wonder if you can mention some open-source examples. Thanks very much.
StephenQuirolgico
commented
4 years ago Hi Richard,
MobSF is an open source Android and iOS analyzer that uses CVSS 2.0.
https://github.com/MobSF/Mobile-Security-Framework-MobSF
Steve
On Wed, Aug 28, 2019 at 3:43 AM richardPang517 notifications@github.com wrote:
I'm also using androwarn to anlyze apks for now , and notice you said other android static analyzers can support CVSS. I wonder if you can mention some open-source examples. Thanks very much.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/maaaaz/androwarn/issues/20?email_source=notifications&email_token=ABF6RLPKEZ3ZE7KQLFXDUD3QGYUDJA5CNFSM4IPGG332YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD5KGKZA#issuecomment-525624676, or mute the thread https://github.com/notifications/unsubscribe-auth/ABF6RLLM3CFNYXF2SMMUDADQGYUDJANCNFSM4IPGG33Q .
richardPang517
commented
4 years ago thanks, I also noticed this MobSF tool and haven't research much on it. I found out androwarn cannot correctly analyze some modern apks, possiblely because of non-ascii characters(based on error info). Perhaps it's a bit too old with old python.
StephenQuirolgico
commented
4 years ago Androwarn was just updated to work with Python 3.
On Wednesday, August 28, 2019, richardPang517 notifications@github.com wrote:
thanks, I also noticed this MobSF tool and haven't research much on it. I found out androwarn cannot correctly analyze some modern apks, possiblely because of non-ascii characters(based on error info). Perhaps it's a bit too old with old python.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/maaaaz/androwarn/issues/20?email_source=notifications&email_token=ABF6RLP33OHD6I7TLEUB66DQG43WPA5CNFSM4IPGG332YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD5NCHVQ#issuecomment-526001110, or mute the thread https://github.com/notifications/unsubscribe-auth/ABF6RLIHR2UF3KDGWKGZXPTQG43WPANCNFSM4IPGG33Q .
Is it possible to add an overall Risk Score to Androwarn? I think this would greatly increase its value, particularly with MDM/EMM analysts that are responsible for ensuring the safety of apps on their organization's devices, but that do not have the expertise to know if a vulnerability detected by Androwarn is low, medium, high or critical risk. For most other Android static analyzers, the Common Vulnerability Scoring System (CVSS) is the standard used for describing risk. It seems that it would be a relatively light lift to add a CVSS score for the overall risk, as well as possibly for each of the underlying vulnerability categories. We are currently using Androwarn but its lack of risk scores is making its continued use less likely.