X-Ray, developed by the security experts at Duo Security allows you to scan your Android device for security vulnerabilities that put your device at risk.
X-Ray scans your Android device to determine whether there are vulnerabilities that remain unpatched by your carrier. The X-Ray app presents you with a list of vulnerabilities that it is able to identify and allows you to check for the presence of each vulnerability on your device.
X-Ray has detailed knowledge about a class of vulnerabilities known as “privilege escalation” vulnerabilities. Such vulnerabilities can be exploited by a malicious application to gain root privileges on a device and perform actions that would normally be restricted by the Android operating system. A number of such vulnerabilities have been discovered in the core Android platform, affecting nearly all Android devices. Even more have been discovered in manufacturer-specific extensions that may affect a smaller subset of Android users. Unfortunately, many of these privilege escalation vulnerabilities remain unpatched on large populations of Android devices despite being several years old.
What can I do if my device is vulnerable?
If X-Ray determines that your device is vulnerable, there are a few potential actions you can take to increase the security of your device:
- You can check for available official updates from your carrier, usually by going to Settings → About phone → System Updates on your Android device.
- While it might not result in an immediate remediation, it is encouraged to contact your carrier about the availability of an update to fix the vulnerabilities that X-Ray detected.
- If no official carrier updates are available, you may be able install a third-party ROM (eg. CyanogenMod) that may have patched the vulnerabilities.
If you’re able to update your device, you can run X-Ray again to verify that the vulnerabilities have been sufficiently patched.
Even if you’re unable to update your device, X-Ray allows you to better understand the risks associated with your mobile device. If you know that any malicious app you download can take full control of your device using publicly available exploits, you should exercise even more caution when downloading and installing third-party apps.
Running X-Ray device will have no adverse effects on the security, stability, or performance of your device. X-Ray is installed and run just like any mobile application and requires no special privileges to operate. X-Ray is able to safely probe for the presence of a vulnerability without ever exploiting it.
How does X-Ray differ from mobile antivirus software?
X-Ray takes a fundamentally different approach to mobile security
Mobile antivirus software attempts to discover malicious applications installed on your device. Unsurprisingly, mobile antivirus is quite ineffective in protecting against new attacks since the number of malicious apps that will be created is unbounded. Updating your antivirus signatures every day to address new threats is not a sustainable approach to security.
Instead of trying to detect all the possible malicious apps in the universe, X-Ray takes a different approach and seeks out the known vulnerabilities in the underlying mobile platform itself. X-Ray doesn’t care whether the apps on your device are good or bad, it only cares whether there are vulnerabilities present that bad apps often exploit to gain full control of your device.
What information does X-Ray collect from my device?
X-Ray collects information about your device, but not about you.
The collected information serves two purposes:
- to determine whether your device is vulnerable, and
- to collect statistics on just how many Android devices out there are vulnerable
This information is useful to apply pressure on carriers to actually fix the underlying problem, so your participation may end up improving the security of all Android users.
Specifically, X-Ray collects the version of your OS (eg. “2.3.6”), the make/model of your device (eg. “Samsung Nexus S”), your carrier’s name (eg. “T-Mobile”), a randomly-generated device ID (eg. “9a17e3fedcde4695”), and potentially vulnerable software components (eg. “/system/bin/vold”). The information collected will not be shared with any third-parties except in aggregate form (eg. a graph showing the total number of vulnerable devices).
Source && Download
The post Xray — Android Security Testing appeared first on DigitalMunition.