[owasp_seraphimdroid_project] Mobile antivirus epic fail and how SeraphimDroid & ZAP can help

johanna curiel curiel johanna.curiel at owasp.org
Mon Sep 19 18:44:56 UTC 2016


Hi Nikola,

Thanks for the feedback. Indeed, the testing will involved a lot more than
just using ZAP for insecure communications and some of the Top ten mobile
risks.

Tools such as Cydia Substrate, Xposed and Apktool among others will be used
during the research/testing.

I definitely will be testing SeraphimDroid and submit the found issues.

Cheers

Johanna




On Mon, Sep 19, 2016 at 7:57 AM, Nikola Milosevic <
nikola.milosevic86 at gmail.com> wrote:

> Hello Johanna,
>
>
> Sorry for the quite late reply. The things you stated and the research you
> mentioned pointed out is quite interesting and quite a good field to
> promote ourselves probably. However, ZAP is definitely better suited for
> testing apps. We can do some heuristics and scans, but on the app side we
> are unable to scan code and find most of the issues from OWASP Mobile Top
> 10. What we most definitely should do is make app secure. If we can do also
> some basic scans for insecure apps, that is also quite a good idea for some
> future development. Thank you for sharing the article, also if you have
> further ideas for the Seraphimdroid side, I am happy to listen.
>
>
>
>
>
> Best regards,
>
> Nikola Milošević
>
> On 15 September 2016 at 20:44, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>> Hi Zap and Seraphimdroid team
>>
>> Recently I wrote an article regarding the security of mobile antivirus:
>> http://techbeacon.com/mobile-antivirus-introduces-vulnerabil
>> ity-how-devops-could-have-stopped-mess
>>
>> Many OWASP resources and projects are actually mentioned as resources for
>> proper development lifecycle. Zap among others
>>
>> I'm conducting a research on automation of apps security testing and one
>> of the apps I will be testing is Seraphimdroid.
>>
>> I'll be using ZAP for the testing certain areas of the application and
>> ZEST scripts.
>>
>> @Seraphimdroid team: I think , based on the mobile fiasco, if
>> SeraphimDroid enhances his security testing , patching the issues found,
>> including a Bug Bounty program, we will have a more secure app than any
>> anti-virus and for free ;-P
>>
>> Right now I have a draft of the areas ZAP helps testing mobile apps:
>> https://docs.google.com/document/d/1PdkvNh0SOy5fSIcmkuDMNCNx
>> vlKRpdFseFX_lnoJUfg/edit?usp=sharing
>>
>> If you have any ideas, feel free to feedback
>>
>>
>> Johanna Curiel
>>
>> _______________________________________________
>> Owasp_seraphimdroid_project mailing list
>> Owasp_seraphimdroid_project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp_seraphimdroid_project
>>
>>
>


-- 
Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_seraphimdroid_project/attachments/20160919/c19b8542/attachment.html>


More information about the Owasp_seraphimdroid_project mailing list