Closed baltpeter closed 2 weeks ago
baltpeter
commented
2 weeks ago The plan is to have separate analysis runners that are isolated from the server running platform as a security boundary. These runners will not be exposed to the internet and will only be available on an internal network (e.g. https://docs.hetzner.com/cloud/networks/overview). In addition, a token will be necessary to start an analysis.
baltpeter
commented
2 weeks ago To start an analysis, platform sends (id, platform, appId) to a runner via an API call. The runner adds the item to an internal queue.
When an item is due to be run, the runner downloads the app and analyses it. After the analysis is done or when it fails, it sends the results back to platform via an API call.
baltpeter
commented
2 weeks ago Implemented through https://github.com/tweaselORG/analysis-runner-local/pull/1.
In #47 and #48, we are researching the necessary security considerations for automated app analyses of Android and iOS apps. But those issues only relate to the running of the apps on the respective device/emulator. In this issue, I want to plan the general security considerations for the platform and analysis environment at a whole.