Comments (6)
Eric,
A couple things:
They are just vulnerabilities, not just "possible vulnerabilities".
There is already an issue opened about adding more contextual information / maybe attempting to estimate the impact to each vulnerability check: #29
As far as remediations, you, unfortunately, have very few options:
- Purchase only Nexus devices
- Install a third party rom like Cyanogenmod on your device
The one of the primary purposes of this test suite is to bring awareness to the poor job that OEMs do in terms of security. Including both the ability to patch bugs that affect Android and their lack of control in adding bloat/features which have proven to be very buggy in the past and greatly increase the attack surface of devices.
Cheers,
Ryan
from android-vts.
Hello Ryan,
Thanks for the very prompt & clear reply.
To address your remarks:
- Thread #29: it only asks for more info, but not for means of dealing with the open vulnerability;
- What to do: in the PC World, wherever vulnerabilities are found, either the OS maker patches them, or 3rd party products mask them, or manual modifications (though – at times – dangerous in their own right) are suggested (or any combination of these) to close the vulnerability or work around it. I simply hoped that such suggestions might be available for the Android too (actually, having Norton Security installed on my Samsung G800F, I was quite surprised to see that VTS found some vulnerabilities …)
Hope this helps.
Thanks again,
Eric
From: Ryan Welton [mailto:[email protected]]
Sent: Thursday, November 05, 2015 23:37
To: nowsecure/android-vts
Cc: trattnerE
Subject: Re: [android-vts] Found the issues - and now, WHAT? (#37)
Eric,
A couple things:
They are just vulnerabilities, not just "possible vulnerabilities".
There is already an issue opened about adding more contextual information / maybe attempting to estimate the impact to each vulnerability check: #29 #29
As far as remediations, you, unfortunately, have very few options:
- Purchase only Nexus devices
- Install a third party rom like Cyanogenmod http://www.cyanogenmod.org/ on your device
The one of the primary purposes of this test suite is to bring awareness to the poor job that OEMs do in terms of security. Including both the ability to patch bugs that affect Android and their lack of control in adding bloat/features which have proven to be very buggy in the past and greatly increase the attack surface of devices.
Cheers,
Ryan
—
Reply to this email directly or view it on GitHub #37 (comment) . https://github.com/notifications/beacon/AO86sHNJZWhclNr2tqEQxPZnGUxxdnftks5pC8N9gaJpZM4Gc8HH.gif
from android-vts.
@trattnerE Norton (and every other anti-virus out there) do generally nothing to show you how vulnerable your device is. They often rely on very primitive techniques (checking the application name or equivalent) to identify 'malware'. The value add-on on these applications is almost always negative.
As for remediations, your options are to install a third party ROM which does not contain buggy OEM code, in your case Samsung's. Or opt for a device that is 'cleaner' and more frequently patched like the Nexus devices. Unfortunately, there are really no other options.
The techniques that you are mentioning of 'hot patching' the device have been attempted in the past: https://play.google.com/store/apps/details?id=io.rekey.rekey&hl=en but are fragile and have a potential for disaster.
from android-vts.
Dear Ryan,
Thanks again for your reply & clarification.
One further question though: earlier today I checked all the apps installed on my Smartphone via VirusTotal – I was shocked to see that the one and only app marked as malware by some 19 (nineteen!) of the scanners was “VTS for Android”!
What is going on here? After all, this app should notify that vulnerabilities are around, and not become a liability by itself …
Kindly enlighten.
Thanks again for your attention to this matter,
Cordially,
Eric
From: Ryan Welton [mailto:[email protected]]
Sent: Friday, November 06, 2015 01:18
To: nowsecure/android-vts
Cc: trattnerE
Subject: Re: [android-vts] Found the issues - and now, WHAT? (#37)
@trattnerE https://github.com/trattnerE Norton (and every other anti-virus out there) do generally nothing to show you how vulnerable your device is. They often rely on very primitive techniques (checking the application name or equivalent) to identify 'malware'. The value add-on on these applications is almost always negative.
As for remediations, your options are to install a third party ROM which does not contain buggy OEM code, in your case Samsung's. Or opt for a device that is 'cleaner' and more frequently patched like the Nexus devices. Unfortunately, there are really no other options.
The techniques that you are mentioning of 'hot patching' the device have been attempted in the past: https://play.google.com/store/apps/details?id=io.rekey.rekey https://play.google.com/store/apps/details?id=io.rekey.rekey&hl=en &hl=en but are fragile and have a potential for disaster.
—
Reply to this email directly or view it on GitHub #37 (comment) . https://github.com/notifications/beacon/AO86sJF4p-mbUwvxXvSS_GI4b7DLshsUks5pC9sdgaJpZM4Gc8HH.gif
from android-vts.
I think that goes to show you the value of virus scanners. They are rife with false positives and negatives.
from android-vts.
Well David,
While the Scanners might indeed not be perfect (though they do provide some fair protection to millions of users, and they surely are better than no protection at all), wherever false positives / negatives arise it’s common practice to let the scanners’ vendors know so, to enable them improve their detection.
I guess this should be no different for the VTS app (clearly, it will gain more trust from potential users, if it would not be highlighted by so many AV scanners …)
All the best,
Eric
From: David Weinstein [mailto:[email protected]]
Sent: Sunday, December 06, 2015 17:46
To: nowsecure/android-vts
Cc: trattnerE
Subject: Re: [android-vts] Found the issues - and now, WHAT? (#37)
I think that goes to show you the value of virus scanners. They are rife with false positives and negatives.
—
Reply to this email directly or view it on GitHub #37 (comment) . https://github.com/notifications/beacon/AO86sIOLreSGxFkLlqXV56QifuSR7h8Rks5pNE-wgaJpZM4Gc8HH.gif
from android-vts.
Related Issues (20)
- Error running multiple tests on Huawei P8 Android 6.0 beta HOT 5
- CVE-2015-6616 HOT 3
- build error: Could not resolve all dependencies HOT 3
- Publish it on F-droid
- Crash on Motorola Droid Maxx HOT 4
- The application is crashing when the user tries to download an update on Android 6.X HOT 5
- Spurious CVE-2015-6616 on Cyanogenmod 11.0 HOT 5
- The latest release is old HOT 30
- Malware scanner alerts HOT 2
- Unable to run sample
- Crash on CVE-2015-1474
- VTS crashes on CM 14.1 (Android 7.1(.1))?
- The latest release is very old HOT 2
- VTS crashes on Nexus 6P 7.1.1 HOT 2
- Build Error: `local.properties` Not Found HOT 5
- Support for Android N HOT 1
- [feture] Meltdown / spectre
- build error HOT 1
- This APK has Malware!!!! HOT 2
- Crashes when scan is initiated HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from android-vts.