Closed baltpeter closed 3 weeks ago
baltpeter
commented
3 weeks ago On Android, we don't need to (and won't) use a real device. Instead, we'll be using the Android emulator.
That of course makes things a lot easier than on iOS. We don't have to worry about what an app does to the device. We will just reset the emulator to a clean snapshot for each run.
baltpeter
commented
3 weeks ago The other potential concern then would be apps somehow escaping the emulator and getting to the host system.
But I don't think there's much to worry about, either. The Android emulator is based on qemu (https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0036/, https://developer.android.com/studio/run/emulator-commandline#filedir), which has a solid track record.
Even after genuinely a fair bit of looking, I didn't find a single documented vulnerability. The release notes (https://developer.android.com/studio/releases/emulator) don't list any security fixes, either. Now, I'm almost sure that I must have missed something but that's still pretty reassuring.
baltpeter
commented
3 weeks ago Nonetheless, we will also apply the same mitigations as on iOS (https://github.com/tweaselORG/meta/issues/47#issuecomment-2173161036) of only allowing apps from the Play Store with a certain number of rating/downloads.
We will essentially be allowing users to run arbitrary Android apps on our infrastructure. Unlike on iOS, we have much more options on Android for how we design our analysis environment. For one, we don't need to run on physical devices and will be using an emulator instead.
(cf. https://github.com/tweaselORG/meta/issues/47 for iOS, and https://github.com/tweaselORG/meta/issues/49 for the whole platform)