Monday, November 2, 2015

We are looking for vulnerabilities on the Android free applications – KompyuterraLab

Guides for Android

Continuing the theme of vulnerability in the Android OS, we look at ways to detect them using the free software from the official store Google Play. Since the errors are found predominantly in the system components, to eliminate many of them on their own fail – you need to update the firmware. If it is not a new version, it is sometimes possible to take alternative measures: change settings, and choose the replacement of potentially dangerous applications. Praemonitus praemunitus!

For testing, we used the three most common are now platforms: Android 4.2.1, 4.4.4 and 5.1.1. In all the cited results are respectively shown scanning from left to right. The exception is the first illustration of where we checked version of Android 5.0 – the latest in contains a fully enclosed vulnerability Stagefright.

Aimed fire

The fastest way there tools for custom checking on some fresh critical vulnerability. Usually they write not only well-known anti-virus vendors, but some security experts.

Stagefright Detector (Zimperium).
built-in media engine checks for the presence of critical errors. Now they learned eight, so the program was updated.


Heartbleed Detector (Lookout Mobile Security)
Checks any OpenSSL library use application. Among them are a lot of vulnerable versions.


The old versions of the libraries found in all test platforms, but all they do not pose a significant threat, since it does not affect browser. In other applications, their use is much more difficult.

OpenSSL FREAK Scanner (Trustlook Mobile Security)
may find another dangerous vulnerability in OpenSSL – CVE-2015-0204.


Total cleanup

Many vulnerabilities remain relevant for years, but not to for each of them your application – obviously not the best an approach. Fortunately, there is an application to search for several security holes. Usually – the most dangerous and widespread.

Mobile Security & amp; Compliance (iScan Online)
In Android 5.1.1 software vulnerabilities not found, so we present screenshots of the results for versions 4.2.1 and 4.4.4.

 iScan >

VTS for Android (NowSecure OSS)
Determines the risk of using Stagefright, ZipBug and manufacturer-specific threats, for example – Samsung WiFi Cred, resulting in the remote execution of arbitrary code.


Kaspersky Threat Scan (JSC« Kaspersky Lab »)
Free application for detecting four key threats.


When some utilities warn of a mass of vulnerable components, Kaspersky Threat Scan usually writes in his report that everything is in order. Why it happens, we asked the head of the management of mobile solutions, “Kaspersky Lab” Victor Yablokov.

« application Kaspersky Threat Scan checks for the presence of the most dangerous vulnerabilities that could lead to the loss of the user valuable data, personal information or money. These are Fake ID, Heartbleed, MasterKey and FREAK. However, the last really exploit the vulnerability an attacker would be extremely problematic. We deliberately did not want once again to scare the user. The most realistic and often applicable method of its operation – through a browser vulnerability. Therefore Kaspersky Threat Scan scans popular browsers for FREAK », – said Victor.

Indeed, sometimes redundant notifications about threats disorient the user, but also innuendo can be misleading. Therefore, in future versions of Kaspersky Threat Scan still would like to see more detailed results – for example, in a separate tab. Then the bulk of users will be satisfied with the overall verdict and advanced could check to see details.

Bluebox Security Scanner (Bluebox)
application to check for vulnerabilities and MasterKey FakeID, which allow to bypass the built-in mechanism for Android application control.


Recap (Palindrome Technologies)
The database contains 140 records MITRE error in system components Android. If you add it to the known vulnerabilities of the Linux kernel and the mobile application, you get an impressive list of nearly three thousand. The only tool in our review, the ability to check them all – Recap. In addition, only it has a vulnerability scanner installed applications running in the resident mode.


If you look at how many bugs have been fixed in Lollipop, the result is very impressive. The Android 5.1.1 is left program known vulnerabilities (although its base is regularly updated). The only detectable associated with the application Skype, which keeps all correspondence in clear text.


commented on the results of our survey, we asked the head of division Security of mobile applications Positive Technologies Artem Chaykin.

«While writing, and seems a little scary (or sad), Google has done and continues to do a lot of work to protect the user against all types of attacks. The latest versions of Android applications banned read syslog other programs. Mechanisms have been added to ban unprotected HTTP connection and introduced other means to enhance security. Company steps were taken to a simpler mechanism for updating individual system components. For example, one of the main objectives of hackers – module WebView, recently updated via Google Play. No more need to wait for the new firmware to close it in the next vulnerability.

In the course of consulting services, we have already tested a number of applications, including mobile banking. They’ve seen too many vulnerabilities. Fortunately, at the moment most of the attackers are not able or do not want to use them. More than 90% of Android Trojans simply rely on user carelessness. We analyzed a variety of applications since the advent of Android 2.2. When compared to how many problems we have found then the progress is evident. ”

See also


No comments:

Post a Comment