[Owasp-leaders] Battle of the cyber warrior:Testing OWASP SeraphimDroid against nasty malware

johanna curiel curiel johanna.curiel at owasp.org
Fri Mar 18 15:31:46 UTC 2016

Hi Nikola

I'm quite familiarised with the project and the reason I choose it is
because I think people should know more about this.
No project at owasp, so far, is attempting to do something in the area of
Machine learning implementation for security and I find this fascinating,
especially because I finalised myself the coursera Machine learning course
from Stanford, and I know how complex is to implement this.

While I understand you concerns , let me assure you that given the
resources and the fact that you are a brave project leader (who has also a
full time job) , no one should be judging any results

My malware test will be from the most benign to the most aggressive, just
to see how it goes as I escalate the type of malware, especially because is
the only project applying machine learning at owasp.

In fact , if your project performs well, it will only reassure to me (I
don't know talk in the name of OWASP since I'm not part of project reviews
anymore) that your project should definitely qualify in a higher ranking
that just another incubator project.



On Fri, Mar 18, 2016 at 5:09 AM, Nikola Milosevic <
nikola.milosevic at owasp.org> wrote:

> Hello Johanna,
> The report you made is all we need. We can see that there was some
> security exception regarding vibrate permission, which is apparently some
> bug of Android 4.2, fixed later in 4.2.1 (at least that was said on
> stackoverflow). I hope I will be able to fix the issue soon, however, I am
> travelling tomorrow, so it may take a couple of days.
> The test you are aiming to perform with malware is great. I don't know how
> much you did familiarise yourself with project, there are couple of things
> app can do, but still defenses are not perfect and on some we might be
> working during this GSoC, if we get some slot. Currently, based on
> permission app is using we have some machine learning model that is
> triggered either on app install or when you run permission scanner and that
> should notify you whether app is malicious or not. However, since it uses
> permissions only for static analysis with our training set which was the
> following dataset http://m0droid.netai.net/modroid/. It achieved around
> 89% accuracy. But it may report false positives and even false negatives.
> Anyway, it was still not tested on other datasets, which makes me a bit
> anxious, but it is good to test it that way and see the performance and
> whether we may need to adjust the model at some point (or whether machine
> learning is approach to go at all). However, machine learning was the only
> approach where we can allow some degree of malware detection without any
> infrastructure for signature generation and similar things, which is
> impossible for open source project.  Also, it can be set to allow certain
> calls or sms, but that is mainly rule based approach (i.e. don't allow
> outgoing calls if not in my contact list). Some features like this made us
> use a lot of permissions as well as some anti-theft features like
> geo-fencing (i.e. sending sms is used when phone exits some area you
> defined and it sends its location). Several users already told me about
> their concerns when they saw the permission list, which is truly large.
> Here it is kinda where we want to balance, whether it will be to try to be
> innovative and try certain things or keep it small. Since it is open source
> and everyone can check the code what for the permissions are used for, we
> decided to go for research and try to implement all the interesting
> features we thought of.
> Anyway, thanks for the effort and I hope, we will be able to resolve the
> issue.
> Pozdrav/Best regards,
> Nikola Milošević
> OWASP Seraphimdroid project leader
> nikola.milosevic at owasp.org
> OWASP - Open Web Application Security Project
> <https://www.owasp.org/index.php/Main_Page>
> OWASP Seraphimdroid Project
> <https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project>
> On Fri, Mar 18, 2016 at 2:49 AM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>> Hi Nikola
>> My excuses if I didn't send the report sooner. Indeed I just did and I
>> have to gather some info on the device. As I user I'm clueless what kind of
>> information should I provide, but I guess the logs as the report was send
>> will do this, right? Let me know if this is the case.
>> I'll attempt install and uninstall.
>> Keep in mind this is no former test but just blogging about my experience
>> as an user and experimenting a little, by no means people reading the blog
>> should see this as a former QA testing procedures or the similar.
>> Basically I'll install malware on this device, one that will be under a
>> controlled environment attempting to send info to the C&C
>> I'll sniff the communication and check how does the project protect me
>> against this type of attacks to the phone,what kind of warnings are given,
>> basically report my user experience.
>> cheers
>> Johanna
>> On Thu, Mar 17, 2016 at 10:37 PM, Nikola Milosevic <
>> nikola.milosevic at owasp.org> wrote:
>>> Hello Johanna,
>>> Can you tell me a bit more about your device and Android version you are
>>> using? Also, when was it tested and have you sent the crash report?
>>> I have tried to uninstall and install again the app on my Nexus 5 and it
>>> works well, so definitely it is not some version in a store that should not
>>> be there. I am not claiming it does not have any bugs, but what you have
>>> experienced should not happen.
>>> Also, I would appreciate and probably other leaders as well whose
>>> project you would be testing, if you could report the problem directly to
>>> me or via bug tracking platform on Github. I believe writing a blog post
>>> with so tendentious title and without any details about a problem is a bit
>>> unfair. Especially, claiming to contact support in a post was false, since
>>> I have no record of you contacting neither me, nor anyone else who worked
>>> on a project.
>>> Anyway, the fact is that this should not happen and I would love to help
>>> you resolve your issue and be able to work with the app.
>>> Pozdrav/Best regards,
>>> Nikola Milošević
>>> OWASP Seraphimdroid project leader
>>> nikola.milosevic at owasp.org
>>> OWASP - Open Web Application Security Project
>>> <https://www.owasp.org/index.php/Main_Page>
>>> OWASP Seraphimdroid Project
>>> <https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project>
>>> On Fri, Mar 18, 2016 at 2:14 AM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>> Leaders,
>>>> This is a first attempt to use OWASP projects in a real scenario and
>>>> report my experiences
>>>> This information will be posted in a blog site I'm working on about my
>>>> experience testing OWASP projects with real implementations, application,
>>>> devices and projects
>>>> http://cybersecuritywarrior.blogspot.com/2016/03/testing-owasp-seraphimdroid-against.html
>>>> Please feel free to comment
>>>> Cheers
>>>> --
>>>> Johanna Curiel
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> --
>> Johanna Curiel
>> OWASP Volunteer

Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160318/bb1b98d0/attachment.html>

More information about the OWASP-Leaders mailing list