Found the issues - and now, WHAT? about android-vts HOT 6 CLOSED

Eric,

A couple things:
They are just vulnerabilities, not just "possible vulnerabilities".
There is already an issue opened about adding more contextual information / maybe attempting to estimate the impact to each vulnerability check: #29

As far as remediations, you, unfortunately, have very few options:

1. Purchase only Nexus devices
2. Install a third party rom like Cyanogenmod on your device

The one of the primary purposes of this test suite is to bring awareness to the poor job that OEMs do in terms of security. Including both the ability to patch bugs that affect Android and their lack of control in adding bloat/features which have proven to be very buggy in the past and greatly increase the attack surface of devices.

Cheers,
Ryan

from android-vts.

Hello Ryan,

Thanks for the very prompt & clear reply.

To address your remarks:

1. Thread #29: it only asks for more info, but not for means of dealing with the open vulnerability;
2. What to do: in the PC World, wherever vulnerabilities are found, either the OS maker patches them, or 3rd party products mask them, or manual modifications (though – at times – dangerous in their own right) are suggested (or any combination of these) to close the vulnerability or work around it. I simply hoped that such suggestions might be available for the Android too (actually, having Norton Security installed on my Samsung G800F, I was quite surprised to see that VTS found some vulnerabilities …)

Hope this helps.

Thanks again,

Eric

From: Ryan Welton [mailto:[email protected]]
Sent: Thursday, November 05, 2015 23:37
To: nowsecure/android-vts
Cc: trattnerE
Subject: Re: [android-vts] Found the issues - and now, WHAT? (#37)

Eric,

A couple things:
They are just vulnerabilities, not just "possible vulnerabilities".
There is already an issue opened about adding more contextual information / maybe attempting to estimate the impact to each vulnerability check: #29 #29

As far as remediations, you, unfortunately, have very few options:

1. Purchase only Nexus devices
2. Install a third party rom like Cyanogenmod http://www.cyanogenmod.org/ on your device

The one of the primary purposes of this test suite is to bring awareness to the poor job that OEMs do in terms of security. Including both the ability to patch bugs that affect Android and their lack of control in adding bloat/features which have proven to be very buggy in the past and greatly increase the attack surface of devices.

Cheers,
Ryan

—
Reply to this email directly or view it on GitHub #37 (comment) . https://github.com/notifications/beacon/AO86sHNJZWhclNr2tqEQxPZnGUxxdnftks5pC8N9gaJpZM4Gc8HH.gif

from android-vts.

@trattnerE Norton (and every other anti-virus out there) do generally nothing to show you how vulnerable your device is. They often rely on very primitive techniques (checking the application name or equivalent) to identify 'malware'. The value add-on on these applications is almost always negative.

As for remediations, your options are to install a third party ROM which does not contain buggy OEM code, in your case Samsung's. Or opt for a device that is 'cleaner' and more frequently patched like the Nexus devices. Unfortunately, there are really no other options.

The techniques that you are mentioning of 'hot patching' the device have been attempted in the past: https://play.google.com/store/apps/details?id=io.rekey.rekey&hl=en but are fragile and have a potential for disaster.

from android-vts.

Dear Ryan,

Thanks again for your reply & clarification.

One further question though: earlier today I checked all the apps installed on my Smartphone via VirusTotal – I was shocked to see that the one and only app marked as malware by some 19 (nineteen!) of the scanners was “VTS for Android”!

What is going on here? After all, this app should notify that vulnerabilities are around, and not become a liability by itself …

Kindly enlighten.

Thanks again for your attention to this matter,

Cordially,

Eric

From: Ryan Welton [mailto:[email protected]]
Sent: Friday, November 06, 2015 01:18
To: nowsecure/android-vts
Cc: trattnerE
Subject: Re: [android-vts] Found the issues - and now, WHAT? (#37)

@trattnerE https://github.com/trattnerE Norton (and every other anti-virus out there) do generally nothing to show you how vulnerable your device is. They often rely on very primitive techniques (checking the application name or equivalent) to identify 'malware'. The value add-on on these applications is almost always negative.

As for remediations, your options are to install a third party ROM which does not contain buggy OEM code, in your case Samsung's. Or opt for a device that is 'cleaner' and more frequently patched like the Nexus devices. Unfortunately, there are really no other options.

The techniques that you are mentioning of 'hot patching' the device have been attempted in the past: https://play.google.com/store/apps/details?id=io.rekey.rekey https://play.google.com/store/apps/details?id=io.rekey.rekey&hl=en &hl=en but are fragile and have a potential for disaster.

—
Reply to this email directly or view it on GitHub #37 (comment) . https://github.com/notifications/beacon/AO86sJF4p-mbUwvxXvSS_GI4b7DLshsUks5pC9sdgaJpZM4Gc8HH.gif

from android-vts.

I think that goes to show you the value of virus scanners. They are rife with false positives and negatives.

from android-vts.

Well David,

While the Scanners might indeed not be perfect (though they do provide some fair protection to millions of users, and they surely are better than no protection at all), wherever false positives / negatives arise it’s common practice to let the scanners’ vendors know so, to enable them improve their detection.

I guess this should be no different for the VTS app (clearly, it will gain more trust from potential users, if it would not be highlighted by so many AV scanners …)

All the best,

Eric

From: David Weinstein [mailto:[email protected]]
Sent: Sunday, December 06, 2015 17:46
To: nowsecure/android-vts
Cc: trattnerE
Subject: Re: [android-vts] Found the issues - and now, WHAT? (#37)

I think that goes to show you the value of virus scanners. They are rife with false positives and negatives.

—
Reply to this email directly or view it on GitHub #37 (comment) . https://github.com/notifications/beacon/AO86sIOLreSGxFkLlqXV56QifuSR7h8Rks5pNE-wgaJpZM4Gc8HH.gif

from android-vts.