[Owasp-leaders] Battle of the cyber warrior:Testing OWASP SeraphimDroid against nasty malware

Nikola Milosevic nikola.milosevic at owasp.org
Fri Mar 18 09:09:44 UTC 2016


Hello Johanna,


The report you made is all we need. We can see that there was some security
exception regarding vibrate permission, which is apparently some bug of
Android 4.2, fixed later in 4.2.1 (at least that was said on
stackoverflow). I hope I will be able to fix the issue soon, however, I am
travelling tomorrow, so it may take a couple of days.

The test you are aiming to perform with malware is great. I don't know how
much you did familiarise yourself with project, there are couple of things
app can do, but still defenses are not perfect and on some we might be
working during this GSoC, if we get some slot. Currently, based on
permission app is using we have some machine learning model that is
triggered either on app install or when you run permission scanner and that
should notify you whether app is malicious or not. However, since it uses
permissions only for static analysis with our training set which was the
following dataset http://m0droid.netai.net/modroid/. It achieved around 89%
accuracy. But it may report false positives and even false negatives.
Anyway, it was still not tested on other datasets, which makes me a bit
anxious, but it is good to test it that way and see the performance and
whether we may need to adjust the model at some point (or whether machine
learning is approach to go at all). However, machine learning was the only
approach where we can allow some degree of malware detection without any
infrastructure for signature generation and similar things, which is
impossible for open source project.  Also, it can be set to allow certain
calls or sms, but that is mainly rule based approach (i.e. don't allow
outgoing calls if not in my contact list). Some features like this made us
use a lot of permissions as well as some anti-theft features like
geo-fencing (i.e. sending sms is used when phone exits some area you
defined and it sends its location). Several users already told me about
their concerns when they saw the permission list, which is truly large.
Here it is kinda where we want to balance, whether it will be to try to be
innovative and try certain things or keep it small. Since it is open source
and everyone can check the code what for the permissions are used for, we
decided to go for research and try to implement all the interesting
features we thought of.

Anyway, thanks for the effort and I hope, we will be able to resolve the
issue.



Pozdrav/Best regards,

Nikola Milošević
OWASP Seraphimdroid project leader
nikola.milosevic at owasp.org
OWASP - Open Web Application Security Project
<https://www.owasp.org/index.php/Main_Page>
OWASP Seraphimdroid Project
<https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project>

On Fri, Mar 18, 2016 at 2:49 AM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Hi Nikola
>
> My excuses if I didn't send the report sooner. Indeed I just did and I
> have to gather some info on the device. As I user I'm clueless what kind of
> information should I provide, but I guess the logs as the report was send
> will do this, right? Let me know if this is the case.
>
> I'll attempt install and uninstall.
>
> Keep in mind this is no former test but just blogging about my experience
> as an user and experimenting a little, by no means people reading the blog
> should see this as a former QA testing procedures or the similar.
>
> Basically I'll install malware on this device, one that will be under a
> controlled environment attempting to send info to the C&C
>
> I'll sniff the communication and check how does the project protect me
> against this type of attacks to the phone,what kind of warnings are given,
> basically report my user experience.
>
> cheers
>
> Johanna
>
> On Thu, Mar 17, 2016 at 10:37 PM, Nikola Milosevic <
> nikola.milosevic at owasp.org> wrote:
>
>> Hello Johanna,
>>
>> Can you tell me a bit more about your device and Android version you are
>> using? Also, when was it tested and have you sent the crash report?
>>
>> I have tried to uninstall and install again the app on my Nexus 5 and it
>> works well, so definitely it is not some version in a store that should not
>> be there. I am not claiming it does not have any bugs, but what you have
>> experienced should not happen.
>>
>> Also, I would appreciate and probably other leaders as well whose project
>> you would be testing, if you could report the problem directly to me or via
>> bug tracking platform on Github. I believe writing a blog post with so
>> tendentious title and without any details about a problem is a bit unfair.
>> Especially, claiming to contact support in a post was false, since I have
>> no record of you contacting neither me, nor anyone else who worked on a
>> project.
>>
>> Anyway, the fact is that this should not happen and I would love to help
>> you resolve your issue and be able to work with the app.
>>
>>
>>
>> Pozdrav/Best regards,
>>
>> Nikola Milošević
>> OWASP Seraphimdroid project leader
>> nikola.milosevic at owasp.org
>> OWASP - Open Web Application Security Project
>> <https://www.owasp.org/index.php/Main_Page>
>> OWASP Seraphimdroid Project
>> <https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project>
>>
>> On Fri, Mar 18, 2016 at 2:14 AM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> Leaders,
>>>
>>> This is a first attempt to use OWASP projects in a real scenario and
>>> report my experiences
>>>
>>> This information will be posted in a blog site I'm working on about my
>>> experience testing OWASP projects with real implementations, application,
>>> devices and projects
>>>
>>>
>>> http://cybersecuritywarrior.blogspot.com/2016/03/testing-owasp-seraphimdroid-against.html
>>>
>>>
>>> Please feel free to comment
>>>
>>> Cheers
>>> --
>>> Johanna Curiel
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>
>
> --
> Johanna Curiel
> OWASP Volunteer
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160318/3d4ea3aa/attachment-0001.html>


More information about the OWASP-Leaders mailing list