[Owasp-leaders] [Owasp-community] Battle of the cyber warrior:Testing OWASP SeraphimDroid against nasty malware

Nikola Milosevic nikola.milosevic at owasp.org
Sat Mar 19 18:44:28 UTC 2016


Hello,

Thank you, Johanna, for confirming the fix and thank you for collaboration
with an aim to make the project better. I am sorry for being a bit
irresponsive, since I was travelling.

I better say a couple of words about outGoingSMSReciever in order to
clarify. Unfortunately, we cannot stop outgoing SMS in non-rooted devices,
but what we do is to notify users if some app other than Hangouts and
Android SMS app is sending SMS and we I believe can say what app sent the
SMS.

Yes, there is a feature that locks app and before running requires PIN
code. Similarly, it works for system services such as Wifi, mobile
internet, Bluetooth. It is mainly design with privacy in mind, however,
yes, it can be used as a preventive measure.



Pozdrav/Best regards,

Nikola Milošević
OWASP Seraphimdroid project leader
nikola.milosevic at owasp.org
OWASP - Open Web Application Security Project
<https://www.owasp.org/index.php/Main_Page>
OWASP Seraphimdroid Project
<https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project>

On Sat, Mar 19, 2016 at 7:13 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Hi All,
>
> Nikola and team fixed the issue in no time
> I was able to install it now and it works fine :)
>
>
> https://github.com/nikolamilosevic86/owasp-seraphimdroid/issues/33#issuecomment-198543264
>
> Nikola, I'll continue testing and report my findings to your team through
> the project mailing list/github
>
> This time the test is going to be a little scarier on a real phone with
> SMS and balance. (Make sure I have little balance to see how it goes ;-P)
>
> @ Azzedine: I'm having a call with  HackerOne on Tuesday to setup a POC
> platform for pen testing CRSF project
> I'll discuss later with you regarding specific bounties and tests, also
> through your mailing list
>
> Results will be published through my blog for those interested to know how
> these warrior projects perform against some real threats as Top hackers on
> HackerOne and against hot malware on the wild
>
> Cheers
>
> On Fri, Mar 18, 2016 at 7:47 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>> Hi Nikola
>>
>> I decided to do a test on an Emulator.
>>
>> What I can say, correct me if I'm wrong, is that an user has the ability
>> to lock apps and services as preventive measure.
>> What happens if I decide to lock?
>> The trojan
>> <http://home.mcafee.com/virusinfo/virusprofile.aspx?key=9609501> that I
>> downloaded on a tablet, attempts to use SMS to premium rate numbers. As
>> I downloaded, while I actually locked all other services on  the
>> SeraphimDroid. Off course this emulator is not connected to any SMS, but
>> when I looked back at the running app I can see the outGoingSmsRecepter
>> active, which I did not see before.(see print screen)
>>
>> I think I'll continue this conversation on the project mailing list.
>> Anyways, , so far it seems that it blocked the activities of this trojan :)
>> Like the fact also that you can block the app and every time is necessary
>> to provide the code to unlock.
>>
>> http://home.mcafee.com/virusinfo/virusprofile.aspx?key=9609501
>>
>>
>> Cheers
>>
>> Johanna
>>
>> On Fri, Mar 18, 2016 at 5:51 PM, Nikola Milosevic <
>> nikola.milosevic at owasp.org> wrote:
>>
>>> @Azzeddine by false negatives I mean false negatives. False negative
>>> will be malware that was not detected, while false positive would be benign
>>> app flaged as malware, true negative is benign app flagged as benign app
>>> and true positive is malware flagged as malware. I hope that makes the
>>> terminology clear?
>>>
>>> @Johanna thank you for your kind words. It is very nice to hear that.
>>> However, my bravery to go into machine learning comes from the fact that
>>> part of my University work/research is machine learning related. I am
>>> probably more machine learning/text mining/data science guy than security
>>> guy, although I have obviously strong interest in it, otherwise I would not
>>> be involved in OWASP. And I believe merging these fields can work on
>>> benefit of both of them.  However, I agree it is complex, especially to
>>> properly test the models. I have updated the app on store with a fix made
>>> by our contributor Kartik Kohli, so I hope it will propagate over the store
>>> by tomorrow and you can try it. I hope it will work, but anyway let me know
>>> (in case it work, I can close the issue, otherwise back to the drawing
>>> board).
>>>
>>>
>>> Pozdrav/Best regards,
>>>
>>> Nikola Milošević
>>> OWASP Seraphimdroid project leader
>>> nikola.milosevic at owasp.org
>>> OWASP - Open Web Application Security Project
>>> <https://www.owasp.org/index.php/Main_Page>
>>> OWASP Seraphimdroid Project
>>> <https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project>
>>>
>>> On Fri, Mar 18, 2016 at 4:11 PM, Azzeddine Ramrami <
>>> azzeddine.ramrami at owasp.org> wrote:
>>>
>>>> Just for information in the version 4.0 of CSRFGuard I added several
>>>> techniques using Cogintive Security (AI). Il will publish the new code ASAP.
>>>>
>>>> Cordialement.
>>>> Azzeddine RAMRAMI
>>>>
>>>> On Fri, Mar 18, 2016 at 4:31 PM, johanna curiel curiel <
>>>> johanna.curiel at owasp.org> wrote:
>>>>
>>>>> Hi Nikola
>>>>>
>>>>> I'm quite familiarised with the project and the reason I choose it is
>>>>> because I think people should know more about this.
>>>>> No project at owasp, so far, is attempting to do something in the area
>>>>> of Machine learning implementation for security and I find this
>>>>> fascinating, especially because I finalised myself the coursera Machine
>>>>> learning course from Stanford, and I know how complex is to implement this.
>>>>>
>>>>> While I understand you concerns , let me assure you that given the
>>>>> resources and the fact that you are a brave project leader (who has also a
>>>>> full time job) , no one should be judging any results
>>>>>
>>>>> My malware test will be from the most benign to the most aggressive,
>>>>> just to see how it goes as I escalate the type of malware, especially
>>>>> because is the only project applying machine learning at owasp.
>>>>>
>>>>> In fact , if your project performs well, it will only reassure to me
>>>>> (I don't know talk in the name of OWASP since I'm not part of project
>>>>> reviews anymore) that your project should definitely qualify in a higher
>>>>> ranking that just another incubator project.
>>>>>
>>>>> Cheers
>>>>>
>>>>> Johanna
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Mar 18, 2016 at 5:09 AM, Nikola Milosevic <
>>>>> nikola.milosevic at owasp.org> wrote:
>>>>>
>>>>>> Hello Johanna,
>>>>>>
>>>>>>
>>>>>> The report you made is all we need. We can see that there was some
>>>>>> security exception regarding vibrate permission, which is apparently some
>>>>>> bug of Android 4.2, fixed later in 4.2.1 (at least that was said on
>>>>>> stackoverflow). I hope I will be able to fix the issue soon, however, I am
>>>>>> travelling tomorrow, so it may take a couple of days.
>>>>>>
>>>>>> The test you are aiming to perform with malware is great. I don't
>>>>>> know how much you did familiarise yourself with project, there are couple
>>>>>> of things app can do, but still defenses are not perfect and on some we
>>>>>> might be working during this GSoC, if we get some slot. Currently, based on
>>>>>> permission app is using we have some machine learning model that is
>>>>>> triggered either on app install or when you run permission scanner and that
>>>>>> should notify you whether app is malicious or not. However, since it uses
>>>>>> permissions only for static analysis with our training set which was the
>>>>>> following dataset http://m0droid.netai.net/modroid/. It
>>>>>> achieved around 89% accuracy. But it may report false positives and even
>>>>>> false negatives. Anyway, it was still not tested on other datasets, which
>>>>>> makes me a bit anxious, but it is good to test it that way and see the
>>>>>> performance and whether we may need to adjust the model at some point (or
>>>>>> whether machine learning is approach to go at all). However, machine
>>>>>> learning was the only approach where we can allow some degree of malware
>>>>>> detection without any infrastructure for signature generation and similar
>>>>>> things, which is impossible for open source project.  Also, it can be set
>>>>>> to allow certain calls or sms, but that is mainly rule based approach (i.e.
>>>>>> don't allow outgoing calls if not in my contact list). Some features like
>>>>>> this made us use a lot of permissions as well as some anti-theft features
>>>>>> like geo-fencing (i.e. sending sms is used when phone exits some area you
>>>>>> defined and it sends its location). Several users already told me about
>>>>>> their concerns when they saw the permission list, which is truly large.
>>>>>> Here it is kinda where we want to balance, whether it will be to try to be
>>>>>> innovative and try certain things or keep it small. Since it is open source
>>>>>> and everyone can check the code what for the permissions are used for, we
>>>>>> decided to go for research and try to implement all the interesting
>>>>>> features we thought of.
>>>>>>
>>>>>> Anyway, thanks for the effort and I hope, we will be able to resolve
>>>>>> the issue.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Pozdrav/Best regards,
>>>>>>
>>>>>> Nikola Milošević
>>>>>> OWASP Seraphimdroid project leader
>>>>>> nikola.milosevic at owasp.org
>>>>>> OWASP - Open Web Application Security Project
>>>>>> <https://www.owasp.org/index.php/Main_Page>
>>>>>> OWASP Seraphimdroid Project
>>>>>> <https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project>
>>>>>>
>>>>>> On Fri, Mar 18, 2016 at 2:49 AM, johanna curiel curiel <
>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>
>>>>>>> Hi Nikola
>>>>>>>
>>>>>>> My excuses if I didn't send the report sooner. Indeed I just did and
>>>>>>> I have to gather some info on the device. As I user I'm clueless what kind
>>>>>>> of information should I provide, but I guess the logs as the report was
>>>>>>> send will do this, right? Let me know if this is the case.
>>>>>>>
>>>>>>> I'll attempt install and uninstall.
>>>>>>>
>>>>>>> Keep in mind this is no former test but just blogging about my
>>>>>>> experience as an user and experimenting a little, by no means people
>>>>>>> reading the blog should see this as a former QA testing procedures or the
>>>>>>> similar.
>>>>>>>
>>>>>>> Basically I'll install malware on this device, one that will be
>>>>>>> under a controlled environment attempting to send info to the C&C
>>>>>>>
>>>>>>> I'll sniff the communication and check how does the project protect
>>>>>>> me against this type of attacks to the phone,what kind of warnings are
>>>>>>> given, basically report my user experience.
>>>>>>>
>>>>>>> cheers
>>>>>>>
>>>>>>> Johanna
>>>>>>>
>>>>>>> On Thu, Mar 17, 2016 at 10:37 PM, Nikola Milosevic <
>>>>>>> nikola.milosevic at owasp.org> wrote:
>>>>>>>
>>>>>>>> Hello Johanna,
>>>>>>>>
>>>>>>>> Can you tell me a bit more about your device and Android version
>>>>>>>> you are using? Also, when was it tested and have you sent the crash report?
>>>>>>>>
>>>>>>>> I have tried to uninstall and install again the app on my Nexus 5
>>>>>>>> and it works well, so definitely it is not some version in a store that
>>>>>>>> should not be there. I am not claiming it does not have any bugs, but what
>>>>>>>> you have experienced should not happen.
>>>>>>>>
>>>>>>>> Also, I would appreciate and probably other leaders as well whose
>>>>>>>> project you would be testing, if you could report the problem directly to
>>>>>>>> me or via bug tracking platform on Github. I believe writing a blog post
>>>>>>>> with so tendentious title and without any details about a problem is a bit
>>>>>>>> unfair. Especially, claiming to contact support in a post was false, since
>>>>>>>> I have no record of you contacting neither me, nor anyone else who worked
>>>>>>>> on a project.
>>>>>>>>
>>>>>>>> Anyway, the fact is that this should not happen and I would love to
>>>>>>>> help you resolve your issue and be able to work with the app.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Pozdrav/Best regards,
>>>>>>>>
>>>>>>>> Nikola Milošević
>>>>>>>> OWASP Seraphimdroid project leader
>>>>>>>> nikola.milosevic at owasp.org
>>>>>>>> OWASP - Open Web Application Security Project
>>>>>>>> <https://www.owasp.org/index.php/Main_Page>
>>>>>>>> OWASP Seraphimdroid Project
>>>>>>>> <https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project>
>>>>>>>>
>>>>>>>> On Fri, Mar 18, 2016 at 2:14 AM, johanna curiel curiel <
>>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>>
>>>>>>>>> Leaders,
>>>>>>>>>
>>>>>>>>> This is a first attempt to use OWASP projects in a real scenario
>>>>>>>>> and report my experiences
>>>>>>>>>
>>>>>>>>> This information will be posted in a blog site I'm working on
>>>>>>>>> about my experience testing OWASP projects with real implementations,
>>>>>>>>> application, devices and projects
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> http://cybersecuritywarrior.blogspot.com/2016/03/testing-owasp-seraphimdroid-against.html
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Please feel free to comment
>>>>>>>>>
>>>>>>>>> Cheers
>>>>>>>>> --
>>>>>>>>> Johanna Curiel
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> OWASP-Leaders mailing list
>>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Johanna Curiel
>>>>>>> OWASP Volunteer
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Johanna Curiel
>>>>> OWASP Volunteer
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-community mailing list
>>>>> Owasp-community at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-community
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Azzeddine RAMRAMI
>>>> +33 6 65 48 90 04.
>>>> Enterprise Security Architect
>>>> OWASP Leader (Morocco Chapter)
>>>> Mozilla Security Projects Mentor
>>>>
>>>
>>>
>>
>>
>> --
>> Johanna Curiel
>> OWASP Volunteer
>>
>
>
>
> --
> Johanna Curiel
> OWASP Volunteer
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160319/1ae29597/attachment-0001.html>


More information about the OWASP-Leaders mailing list