Yep! We'll also putting out some vulnerability stats in the coming weeks, which will also include examples of device builds that have regressed on security patches (hence why using version numbers is a bad idea).
On Tue, 2013-05-21 at 14:17 -0700, seattleandrew wrote: > @Jon, are you guys planning on updating the X-Ray app? It'll be > interesting to see both how yours and Sumin's apps compare in terms of > validating security issues with device builds. > > On Monday, May 20, 2013 9:05:05 AM UTC-7, Jon Oberheide wrote: > On Sat, 2013-05-18 at 14:51 -0700, sumin tchen wrote: > > There is a reason that xray is not on Google Play. It > actually tries > > to exploit the vulnerabilities and that is a no-no on Google > Play for > > obvious reasons. > > False. Have you looked at how X-Ray works? > > > The Security Advisor discovers whether the apps or OS are > vulnerable > > versions, and does this without trying to hack into the > device. > > This is a pretty lossy approach. That is, version numbers are > a bad > indicator of vulnerability. From our X-Ray results, we've seen > a lot of > false positives and false negatives if one were to determine > patch level > from version numbers. > > More to come in the next few weeks... > > Regards, > Jon Oberheide > > > On Saturday, May 18, 2013 3:18:22 PM UTC-4, Shawn Valle > wrote: > > How does this compare / differ from xray at > www.xray.io? > > > > -- > > You received this message because you are subscribed to the > Google > > Groups "Android Security Discussions" group. > > To unsubscribe from this group and stop receiving emails > from it, send > > an email to android-security-discuss > [email protected]. > > To post to this group, send email to > > [email protected]. > > Visit this group at > > > http://groups.google.com/group/android-security-discuss?hl=en. > > For more options, visit > https://groups.google.com/groups/opt_out. > > > > > > -- > Jon Oberheide <[email protected]> > GnuPG Key: 1024D/F47C17FE > Fingerprint: B716 DA66 8173 6EDD 28F6 F184 5842 1C89 F47C > 17FE > > > -- > You received this message because you are subscribed to the Google > Groups "Android Security Discussions" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > To post to this group, send email to > [email protected]. > Visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > -- Jon Oberheide <[email protected]> GnuPG Key: 1024D/F47C17FE Fingerprint: B716 DA66 8173 6EDD 28F6 F184 5842 1C89 F47C 17FE -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
