Hi,
I have query regarding Static code Analysis Tools.
I have got a report from HP's Fortify tool which does static analysis on the source code. It has highlighted vulnerabilities in following areas :
Security :
- Path Manipulation
- Unreleased Resource : Streams
The source code is not mine, I got it from some other firm.
The challenge is what HP's Fortify tool scan reported as mentioned above, when trying to scan with other tools on same source code, like FindBugs -> or by lint its not giving these errors. In fact they are not showing any issues under security.
It will be good if you guys can suggest any promising free tool for static code analysis which should give report similar to what HP Fortify gives in terms of security.
Note : I do not have access to HP's Fortify tool so in order to validate my fixes against the reported issues, I need the similar kind of free tool, which can do the job.
I have already visited these forums and checked, did not find much help.
-MobileSecurityWiki and ashishb->android-security on github
Thanks!
Related
Just read this article via gizmodo and this is definetly a must have for some of us who are paranoid which is just about everyone .
Overview
A joint study by Intel Labs, Penn State, and Duke University has identified that publicly available cell-phone applications from application markets are releasing consumers' private information to online advertisers. Researchers at the participating institutions have developed a realtime monitoring service called TaintDroid that precisely analyses how private information is obtained and released by applications "downloaded" to consumer phones. In a study of 30 popular applications, TaintDroid revealed that 15 send users' geographic location to remote advertisement servers. The study also found that seven of the 30 applications send a unique phone (hardware) identifier, and, in some cases, the phone number and SIM card serial number to developers.
Source:http://www.appanalysis.org/
It´s not released yet. Are there any other similar monitoring apps out there? This was something I´ve been thinking / worrying about since getting my sgs 3 weeks ago...
Near enough every app you install requires / wants at least full internet access. Not sure what private data is accessible, but this is a great source for profiling and could of course be used maliciously.
markwil said:
It´s not released yet. Are there any other similar monitoring apps out there? This was something I´ve been thinking / worrying about since getting my sgs 3 weeks ago...
Near enough every app you install requires / wants at least full internet access. Not sure what private data is accessible, but this is a great source for profiling and could of course be used maliciously.
Click to expand...
Click to collapse
It looks like it will be soon.
Where can I get TaintDroid?
We will be making TaintDroid open source. Information to obtain the TaintDroid source code will be posted to this page.
Won't be an APK though, they have updated to say it's need to be built in to the ROM. Source should be realised and nothing stopping the modders from adding to their ROMs.
Update for those interested in installing TaintDroid: Tracking how apps use sensitive information required integrating our software into the Android platform at a low level. As a result, it was not possible to implement TaintDroid as a stand-alone app. Instead, to use TaintDroid you must flash a custom-built firmware to your device, similar to a number of popular community-supported Android ROMs. In the coming days we will open-source our code through a publicly-accessible repository. Please send an email to [email protected] if you are interested in receiving a notification when the source code is available. Thank you for your interest in TaintDroid!
Click to expand...
Click to collapse
That works for most off us here who are rooted.
Sent from my Nexus One using XDA App
Sounds interesting, but I have to laugh at the use of the word 'taint'. Was DurfDroid taken?
The source code and instructions for compiling into kernel (Nexus One) are now given at the site:
http://appanalysis.org/download.html
This cannot be installed as an app (.apk), it's a compile into your own kernal effort at this stage.
Update, here is the new google spreadsheet.
I would like to propose that we document the "openess" state of various Android devices, so that those who are in the market for a new device can potentially get a better picture of which devices might suit them if they are concerned about such things. I have read through countless posts in the last few months, across several forums, to attempt to figure out much of this info myself, for many of the existing devices. Naturally, the state of a device can change as developers figure out how to do things with devices, or as manufacturers release more info, source, or tools. I suspect that at least a few other people would like to share in the fruits of my searches. I also suspect/hope that a few others might be willing to add their own conclusions and references to my research. Let's join together in a common place to do this. Thanks.
I propose to do that with respect to the Open Libre Device guidelines (Specification 0.0) listed below:
Open Libre Device Level 0: Functionally Open
Freedom 0.0: The ability to load software on the device unimpeded.
Freedom 0.1: The ability to access all the intended device's hardware functionality via free/libre software running on the main (non auxiliary) processors. A free/libre software reference implementation must exist to do this.
Freedom 0.2: The ability to use all the device's intended functionality (except for any device communication functionality) without the device communicating with any other device. The reference software implementation must not require external activation of any sorts.
Open Libre Device Level 1: Completely Open
Freedom 1.0: All of the freedoms of level 0
Freedom 1.1: The ability to interact with the device externally with only free/libre software. A free/libre software reference implementation must exist which implements any protocols required to communicate with the device to exercise all the freedoms of level 0. This includes loading software or accessing its functionality such as communications protocols.
Note: the likely currently precludes any cell phones from being level 1 open devices since there are no complete free/libre software stacks for cell networks (yet).
Freedom 1.2: The ability to access the entire device's intended functionality with entirely free/libre software, including all device peripherals (auxiliary processors) running only free/libre software. Free/libre software reference implementations must exist for all device peripherals.
These are guidelines which I came up with a while ago. They are not perfect, and I welcome comments and improvements in both the intent and clarity of these guidelines. I will stipulate however, that I do not ever intend to amend this specification to be in the spirit of Open Source Hardware. The spirit here is about the software that runs on, and interacts with the devices, not about designing the hardware.
So, I am looking for:
A good place to put our list (it could be here in this thread)
A good way to keep track of this info a (table format, a db somewhere, a google spreadsheet?)
Info about devices:
Brand/Device Name/Model #, version (if it matters)
Pass or Fail with respect to any specific point in the guidelines above
A description or reference which (dis)proves 3B
Well, thanks for any support, I look forward to sharing my results with others.
Here is a sample for a device that I currently own:
Code:
Device P/F Freedom Point Reference Date
zt-180 P 0.0 2010/11/24
F 0.1 No kernel source "
P 0.2 (*) "
F 1.0 0.1 "
P 1.1 (*) "
? 1.2 There is likely closed firmware on the GPU "
* No known problems here
Google Spreadsheet
Well, since Matthew Garrett had a pretty good start with GPL compliance listings here:
http://www.codon.org.uk/~mjg59/android_tablets/
I decided to go ahead and create a google spreadsheet which includes columns for each of the freedom points above. I attempted to at least populate the ZT180 all the way at the bottom. Please feel free to add data for any device that you are familiar with. In particular, please add links for any references to help anyone who owns (or would like to own) such a device. Here is the spreadsheet:
https://spreadsheets.google.com/ccc?key=0AnRFPYwp3Th9dHFrRkRXOVFWam01N25DTVdXTUQxM0E&hl=en#gid=1
I have a new project I want to start, and I will probably need some help.
I am concerned with Android's download policy. It is way too easy to download something malicious. There is no prompt confirming you want to download something, it just begins once you click on a link to a downloadable file, or open an app. Downloads can also be triggered in many other ways, all of which provide no confirmation prompt. It has been proven at several blackhat conferences over the past few months that certain parts of the Android download system can be compromised in such a way that apps can be downloaded, installed, and activated with virtually no user interaction beyond visiting an app window or a webpage. This can result in all sorts of harmful behaviors, such as mms being sent to a premium number, or phone calls being placed to premium service numbers, data being mined, etc.
While many may argue this simple download system is desired, I believe it is way to dangerous. I propose adding a confirmation prompt to all downloads. A setting can be added to override this prompt behavior for those who like to live dangerously.
To begin, I used grep to find all instances of the term "download" in the source code and pasted the results here (note- I'm working with a CM kang): Grep--download - Pastebin.com. There are other terms that should be searched for as well, this is just a begining point.
Step 1 - determine which files need to be addressed
Step 2 - determine which point in the process it would be best to insert a prompt
Step 3 - determine the best methodology to provide additional security without compromising functionality
Step 4 - test, retest, test some more
Step 5 - submit for public scrutiny
Step 6 - make changes and test again
Step 7 - push to the AOSP source tree
If you would be interested in helping with this project, please indicate so in this thread, I will provide more details as to a project location etc as this progresses.
Thanks for any help offered!
Hi,
We have developed a new, effective licensing control system for Android called DroidActivator.
It's intended to block piracy and also gives you some interesting opportunities, as licensing your app with an annual renewal fee, apply a subscription model to sell features or contents, protect your app outside GooglePlay, acquire device data, track custom events and more.
It is an Open Source project licensed under LGPL.
You can take a look at the Google Code Project Page (code.google.com/p/droidactivator) and to the project web site ([www].droidactivator.org)
Hope it can help the community!
Have a nice day,
The DroidActivator developers team.
Not quite sure what the point of an open source anti-piracy app. It just allows people to tinker with it and thus bypass it.
A protection system should not rely on hiding its code to be effective.
Any protection can be defeated by a determined pirate.
It's just a matter of making life harder.
algos-dev said:
A protection system should not relay on hiding its code to be effective.
Any protection can be defeated by a determined pirate.
It's just a matter of making life harder.
Click to expand...
Click to collapse
Isn't open source making it easier?
This is an interesting topic.
You are right lambstone: looking at the source can help you cracking the code.
But in my opinion, the point is in the targeted audience.
An open source protection would not be suited for the new angry-birds-whatever but it would be for your medium/high-priced business app.
We have just no technology to avoid piracy. If the app is interesting enough, the pirate will decompile the app, remove the protection, repackage it and share it on the web. In this scenario, if the pirate got helped by looking at the code or struggled a bit more on the binaries doesn't matter so much.
We are not willing to fight this kind of piracy. We just wanted to build a tool to help small software houses to fight "casual" piracy (folks who won't search for and use the crack, but won't hesitate violating the EULA in the absence of technical license protection mechanism) which represents the vast majority of piracy.
lambstone said:
Isn't open source making it easier?
Click to expand...
Click to collapse
It cuts both ways: more people reviewing the code means that it can be made harder to crack.
Security through obscurity
DroidActivator anti-piracy system updated
DroidActivator, the Open Source anti-piracy system for Android, has been updated.
The backend now features searching in activations and events and generates activation codes automatically. The GUI has also been restyled using CSS.
If you are interested, have a look at the Google Code project page [code.google.com/p/droidactivator] or at DroidActivator's web site [3w.droidactivator.org]
Thank You,
DroidActivator's development team
So, I was wondering if this would be of any help in attempting to get source for the xiaoxin pad pro 2021. I don't know enough about the specifics, but this is under settings>about tab>open source.
If this is not relevant to our kernel dilemma, feel free to delete this thread. I just saw it t on the tablet that Lenovo does everything in it's power to distance itself from, but right in the stock Zui 14 firmware this is there in black and white.
87 1:48
<Open source information
Your mobile device may include software made publicly available by Lenovo, including software licensed under the General Public License and/or the Lesser General Public License (the "opensource software").
You may obtain the corresponding machine-readable copy for any such open source software licensed under the General Public License and/or the Lesser General Public License (or any other license requiring us to make a written offer to provide corresponding source code to you) from Lenovo for a period of three years without charge except for the cost of media, shipping, and handling, upon written request to Lenovo. This offer is valid to anyone in receipt of this mobile device. You may send your request in writing to the address below accompanied by a check or money order for $5 to:
Lenovo Legal Department
Attn: Open Source Team / Source Code Requests 8001 Development Dr.
Morrisville, NC 27560
Please include "ZUI version of this mobile device as part of your request. Be sure to provide a return address.
The open source software is distributed in hope it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See for example the GNU General Public License and/or the Lesser General Public License for more information.
To view additional information regarding licenses, acknowledgments and required copyright notices for the open source software used in your Lenovo mobile device, go to "Open source licenses" and/or "Additional Open source licenses" within the "Settings" menu on your mobile device. This mobile device may include certain pre-installed application programs or pre-configured links for downloading application
programs published by parties other than Lenovo. Such third party application programs may include open source software made
publicly available by the respective publishers of those application programs. You may obtain the corresponding source code for
any such open source software directly from the publisher of the applicable application program, to the extent permitted under the
relevant open source software license agreement. Additional Information is provided by the publisher of each application program
within the menu structure of its application program.
Sadly, due to the nasty market and legal environment in China, some Chinese vendors consistently do not follow the GPL open source agreement.
Besides, they also have interface: TB-J716F is only for Chinese customers, It is only natural for Chinese manufactors ignore Chinese users.
I myself am Chinese and I have requested many times through internal channels, but no response of course.
That seemed to be my impression as well, but the fact they specifically call out Zui and it's a US address made me wonder.
prozack1983 said:
So, I was wondering if this would be of any help in attempting to get source for the xiaoxin pad pro 2021. I don't know enough about the specifics, but this is under settings>about tab>open source.
If this is not relevant to our kernel dilemma, feel free to delete this thread. I just saw it t on the tablet that Lenovo does everything in it's power to distance itself from, but right in the stock Zui 14 firmware this is there in black and white.
87 1:48
<Open source information
Your mobile device may include software made publicly available by Lenovo, including software licensed under the General Public License and/or the Lesser General Public License (the "opensource software").
You may obtain the corresponding machine-readable copy for any such open source software licensed under the General Public License and/or the Lesser General Public License (or any other license requiring us to make a written offer to provide corresponding source code to you) from Lenovo for a period of three years without charge except for the cost of media, shipping, and handling, upon written request to Lenovo. This offer is valid to anyone in receipt of this mobile device. You may send your request in writing to the address below accompanied by a check or money order for $5 to:
Lenovo Legal Department
Attn: Open Source Team / Source Code Requests 8001 Development Dr.
Morrisville, NC 27560
Please include "ZUI version of this mobile device as part of your request. Be sure to provide a return address.
The open source software is distributed in hope it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See for example the GNU General Public License and/or the Lesser General Public License for more information.
To view additional information regarding licenses, acknowledgments and required copyright notices for the open source software used in your Lenovo mobile device, go to "Open source licenses" and/or "Additional Open source licenses" within the "Settings" menu on your mobile device. This mobile device may include certain pre-installed application programs or pre-configured links for downloading application
programs published by parties other than Lenovo. Such third party application programs may include open source software made
publicly available by the respective publishers of those application programs. You may obtain the corresponding source code for
any such open source software directly from the publisher of the applicable application program, to the extent permitted under the
relevant open source software license agreement. Additional Information is provided by the publisher of each application program
within the menu structure of its application program.
Click to expand...
Click to collapse
The only way out...