[Owasp-leaders] [Owasp-community] Battle of the cyber warrior:Testing OWASP SeraphimDroid against nasty malware

Azzeddine Ramrami azzeddine.ramrami at owasp.org
Fri Mar 18 16:11:02 UTC 2016


Just for information in the version 4.0 of CSRFGuard I added several
techniques using Cogintive Security (AI). Il will publish the new code ASAP.

Cordialement.
Azzeddine RAMRAMI

On Fri, Mar 18, 2016 at 4:31 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Hi Nikola
>
> I'm quite familiarised with the project and the reason I choose it is
> because I think people should know more about this.
> No project at owasp, so far, is attempting to do something in the area of
> Machine learning implementation for security and I find this fascinating,
> especially because I finalised myself the coursera Machine learning course
> from Stanford, and I know how complex is to implement this.
>
> While I understand you concerns , let me assure you that given the
> resources and the fact that you are a brave project leader (who has also a
> full time job) , no one should be judging any results
>
> My malware test will be from the most benign to the most aggressive, just
> to see how it goes as I escalate the type of malware, especially because is
> the only project applying machine learning at owasp.
>
> In fact , if your project performs well, it will only reassure to me (I
> don't know talk in the name of OWASP since I'm not part of project reviews
> anymore) that your project should definitely qualify in a higher ranking
> that just another incubator project.
>
> Cheers
>
> Johanna
>
>
>
>
>
> On Fri, Mar 18, 2016 at 5:09 AM, Nikola Milosevic <
> nikola.milosevic at owasp.org> wrote:
>
>> Hello Johanna,
>>
>>
>> The report you made is all we need. We can see that there was some
>> security exception regarding vibrate permission, which is apparently some
>> bug of Android 4.2, fixed later in 4.2.1 (at least that was said on
>> stackoverflow). I hope I will be able to fix the issue soon, however, I am
>> travelling tomorrow, so it may take a couple of days.
>>
>> The test you are aiming to perform with malware is great. I don't know
>> how much you did familiarise yourself with project, there are couple of
>> things app can do, but still defenses are not perfect and on some we might
>> be working during this GSoC, if we get some slot. Currently, based on
>> permission app is using we have some machine learning model that is
>> triggered either on app install or when you run permission scanner and that
>> should notify you whether app is malicious or not. However, since it uses
>> permissions only for static analysis with our training set which was the
>> following dataset http://m0droid.netai.net/modroid/. It achieved around
>> 89% accuracy. But it may report false positives and even false negatives.
>> Anyway, it was still not tested on other datasets, which makes me a bit
>> anxious, but it is good to test it that way and see the performance and
>> whether we may need to adjust the model at some point (or whether machine
>> learning is approach to go at all). However, machine learning was the only
>> approach where we can allow some degree of malware detection without any
>> infrastructure for signature generation and similar things, which is
>> impossible for open source project.  Also, it can be set to allow certain
>> calls or sms, but that is mainly rule based approach (i.e. don't allow
>> outgoing calls if not in my contact list). Some features like this made us
>> use a lot of permissions as well as some anti-theft features like
>> geo-fencing (i.e. sending sms is used when phone exits some area you
>> defined and it sends its location). Several users already told me about
>> their concerns when they saw the permission list, which is truly large.
>> Here it is kinda where we want to balance, whether it will be to try to be
>> innovative and try certain things or keep it small. Since it is open source
>> and everyone can check the code what for the permissions are used for, we
>> decided to go for research and try to implement all the interesting
>> features we thought of.
>>
>> Anyway, thanks for the effort and I hope, we will be able to resolve the
>> issue.
>>
>>
>>
>> Pozdrav/Best regards,
>>
>> Nikola Milošević
>> OWASP Seraphimdroid project leader
>> nikola.milosevic at owasp.org
>> OWASP - Open Web Application Security Project
>> <https://www.owasp.org/index.php/Main_Page>
>> OWASP Seraphimdroid Project
>> <https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project>
>>
>> On Fri, Mar 18, 2016 at 2:49 AM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> Hi Nikola
>>>
>>> My excuses if I didn't send the report sooner. Indeed I just did and I
>>> have to gather some info on the device. As I user I'm clueless what kind of
>>> information should I provide, but I guess the logs as the report was send
>>> will do this, right? Let me know if this is the case.
>>>
>>> I'll attempt install and uninstall.
>>>
>>> Keep in mind this is no former test but just blogging about my
>>> experience as an user and experimenting a little, by no means people
>>> reading the blog should see this as a former QA testing procedures or the
>>> similar.
>>>
>>> Basically I'll install malware on this device, one that will be under a
>>> controlled environment attempting to send info to the C&C
>>>
>>> I'll sniff the communication and check how does the project protect me
>>> against this type of attacks to the phone,what kind of warnings are given,
>>> basically report my user experience.
>>>
>>> cheers
>>>
>>> Johanna
>>>
>>> On Thu, Mar 17, 2016 at 10:37 PM, Nikola Milosevic <
>>> nikola.milosevic at owasp.org> wrote:
>>>
>>>> Hello Johanna,
>>>>
>>>> Can you tell me a bit more about your device and Android version you
>>>> are using? Also, when was it tested and have you sent the crash report?
>>>>
>>>> I have tried to uninstall and install again the app on my Nexus 5 and
>>>> it works well, so definitely it is not some version in a store that should
>>>> not be there. I am not claiming it does not have any bugs, but what you
>>>> have experienced should not happen.
>>>>
>>>> Also, I would appreciate and probably other leaders as well whose
>>>> project you would be testing, if you could report the problem directly to
>>>> me or via bug tracking platform on Github. I believe writing a blog post
>>>> with so tendentious title and without any details about a problem is a bit
>>>> unfair. Especially, claiming to contact support in a post was false, since
>>>> I have no record of you contacting neither me, nor anyone else who worked
>>>> on a project.
>>>>
>>>> Anyway, the fact is that this should not happen and I would love to
>>>> help you resolve your issue and be able to work with the app.
>>>>
>>>>
>>>>
>>>> Pozdrav/Best regards,
>>>>
>>>> Nikola Milošević
>>>> OWASP Seraphimdroid project leader
>>>> nikola.milosevic at owasp.org
>>>> OWASP - Open Web Application Security Project
>>>> <https://www.owasp.org/index.php/Main_Page>
>>>> OWASP Seraphimdroid Project
>>>> <https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project>
>>>>
>>>> On Fri, Mar 18, 2016 at 2:14 AM, johanna curiel curiel <
>>>> johanna.curiel at owasp.org> wrote:
>>>>
>>>>> Leaders,
>>>>>
>>>>> This is a first attempt to use OWASP projects in a real scenario and
>>>>> report my experiences
>>>>>
>>>>> This information will be posted in a blog site I'm working on about my
>>>>> experience testing OWASP projects with real implementations, application,
>>>>> devices and projects
>>>>>
>>>>>
>>>>> http://cybersecuritywarrior.blogspot.com/2016/03/testing-owasp-seraphimdroid-against.html
>>>>>
>>>>>
>>>>> Please feel free to comment
>>>>>
>>>>> Cheers
>>>>> --
>>>>> Johanna Curiel
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> Johanna Curiel
>>> OWASP Volunteer
>>>
>>
>>
>
>
> --
> Johanna Curiel
> OWASP Volunteer
>
> _______________________________________________
> Owasp-community mailing list
> Owasp-community at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-community
>
>


-- 
Azzeddine RAMRAMI
+33 6 65 48 90 04.
Enterprise Security Architect
OWASP Leader (Morocco Chapter)
Mozilla Security Projects Mentor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160318/1766c6b0/attachment-0001.html>


More information about the OWASP-Leaders mailing list