HI Kris, Thanks. Sumin
________________________________________ From: Kristopher Micinski [[email protected]] Sent: Tuesday, May 21, 2013 18:07 To: Sumin Tchen Cc: Android Security Discussions Subject: Re: [android-security-discuss] Re: New Android vulnerability app Actually one point really interested me in your app: you require only the internet permission, good job on keeping that set down! By contrast, many apps don't look at this, still I was interested compared to things like xray, what else could be possible: - confused deputy attacks and interapp flows? - Overprovisioned permissions? - Return oriented programming at the intent level (so that apps cannot act as proxies)? - Similarity to other apps on the market via call graph similarity? Many others! I guess the main point is that Android security is much more than signature files and simple regular expression matching (though to be honest, that's better than most of the "antivirus apps" out there for Android). I'd also advise you look into some of the Android app crackers, and other markets just to see what they throw into apps: in case you need training rules. Kris On Tue, May 21, 2013 at 6:02 PM, Kristopher Micinski <[email protected]> wrote: > I'm not at all asking you to disclose the secret sauce, I'm just > saying that your tool isn't doing very well unless it's doing some > sort of lightweight static analysis using bytecode matching on some > set of binary regular expressions. > > In other words, your secret sauce isn't very secret: everyone knows > this can be done, it's just how much time you put into making your > analysis set realistic. > > Kris > > On Tue, May 21, 2013 at 5:58 PM, Sumin Tchen <[email protected]> wrote: >> HI Kris, >> >> You might find this study by Imperva and Technion on effectivess of AV >> interesting: >> http://www.imperva.com/docs/HII_Assessing_the_Effectiveness_of_Antivirus_Solutions.pdf >> >> Sorry, we don't disclose the "secret sauce". >> >> Regards, >> Sumin >> >> >> | -----Original Message----- >> | From: Kristopher Micinski [mailto:[email protected]] >> | Sent: Tuesday, May 21, 2013 17:32 >> | To: Sumin Tchen >> | Cc: Android Security Discussions >> | Subject: Re: [android-security-discuss] Re: New Android vulnerability app >> | >> | On Sat, May 18, 2013 at 10:48 AM, sumin tchen <[email protected]> wrote: >> | > HI Kris, >> | > >> | > Good question! Anti-virus is based on signature files which identify >> | > the security threats. While this worked somewhat in the past, it's >> | > pretty ineffective against today's threats which can change their >> | > signatures much faster than AV products can update their signatures. >> | > >> | >> | This isn't my experience at all: most of the people I know doing antivirus >> on >> | Android (I've read a few) do things more like regular expressions style >> | matching on bytecode for apps. Lightweight static analysis is a key to >> | antivirus (though of course not the only option, it's all a numbers game): >> it's >> | way more than just signature files. >> | >> | > Belarc's Security Advisor is based on discovering and helping you >> | > update the existing vulnerabilities, both apps and operating system, >> | > and thereby not allowing the security threats to affect your Android >> | > device. This works no matter how often the threat signatures change. >> | > >> | >> | You still didn't really mention at all what techniques your tool employs. >> You >> | don't have to give any hint at how your "secret sauce" >> | is, of course, but I was more interested in what style of binary analysis >> | techniques you were using. >> | >> | > Naturally there are always new vulnerabilities being discovered, and >> | > this is why we are planning to release new updates to the Security >> | > Advisor on a regular schedule. We have a discussion of this topic, >> | > with links to security papers from the NSA and SANS, here: >> | > http://www.belarc.com/sa_full.html and here for mobiles :)) >> | > http://m.belarc.com/sa.html >> | > >> | >> | Sure, I agree completely that there are some device specific holes that >> need >> | to be checked against apps and other things, but I am still unable to find >> out >> | how this is working.. >> | >> | Kris -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
