Closed baltpeter closed 2 weeks ago
The plan is to have separate analysis runners that are isolated from the server running platform
as a security boundary. These runners will not be exposed to the internet and will only be available on an internal network (e.g. https://docs.hetzner.com/cloud/networks/overview). In addition, a token will be necessary to start an analysis.
To start an analysis, platform
sends (id, platform, appId)
to a runner via an API call. The runner adds the item to an internal queue.
When an item is due to be run, the runner downloads the app and analyses it. After the analysis is done or when it fails, it sends the results back to platform
via an API call.
Implemented through https://github.com/tweaselORG/analysis-runner-local/pull/1.
In #47 and #48, we are researching the necessary security considerations for automated app analyses of Android and iOS apps. But those issues only relate to the running of the apps on the respective device/emulator. In this issue, I want to plan the general security considerations for the platform and analysis environment at a whole.