Gizmo's Freeware Forum

Gizmo's Freeware Forum (https://www.techsupportalert.com/freeware-forum/)
-   Mobile Apps (https://www.techsupportalert.com/freeware-forum/mobile-apps/)
-   -   Check your Android Smartphone security status (https://www.techsupportalert.com/freeware-forum/mobile-apps/15908-check-your-android-smartphone-security-status.html)

IO.Hazard 28. Dec 2015 03:50 AM

Check your Android Smartphone security status
 
Android has a lot (really, A LOT) of severe security issues that could compromise your phone and data. The Android VTS tool has been out for some time, and the latest version will help you in detecting all system vulnerabilities (known as CVEs). That's the good news.

The bad news is it won't patch nor fix them since that's the work of your phone's vendor, meaning there are little chances you'll get them solved unless you a have recent flagship device.

The app was pulled from the PlayStore some weeks ago (maybe because it was a direct hit at Google), but can still be downloaded from the official GitHub page:

https://github.com/nowsecure/android-vts/releases

Even though my phone is running Lollipop 5.1.1, the app detected 5 vulnerabilities, which confirms that having the "latest" android version doesn't mean your phone is protected.

Sope 28. Dec 2015 12:52 PM

Interesting thanks.

What is your view of the VirusTotal scan of the Android VTS Tool, anything to worry about??

Anupam 28. Dec 2015 01:08 PM

Android Lollipop is not the latest, to be correct. Android Marshmallow is the latest version.

And with this release of the OS, Google and other vendors have decided to release monthly stability and security patches for the OS, which is quite a good decision, keeping in mind the security.

I have a Nexus 5, and it has been receiving these monthly updates.

However, yes, when the vendor decides not to release any more updates for that device, then it's a problem.

IO.Hazard 28. Dec 2015 08:20 PM

Quote:

Originally Posted by Sope (Post 115860)
What is your view of the VirusTotal scan of the Android VTS Tool, anything to worry about??

Nothing to worry about. The app uses the same procedure a malicious tool would (in this case the infamous Stagefright vulnerability) but only to explore if the phone is vulnerable or not. It will not tamper with your phone in any way. The VTS Tool is open-source, so anyone can audit the code and report possible backdoors.

@Anupam,

Yes, you're right. Android M (6.0.1 to be more specific) is the latest version of Android, but is only available for some Nexus and Pure Edition devices, which are controlled by Google. The rest of devices are running Android JellyBean, KitKat or Lollipop at best, and only some lucky ones are to receive the 6.0.1 update in January or February.

As for the monthly stability and security patches, once again the Nexus series seems to be the only one receiving them through the "Android Security Bulletin Monthly Release". Although Motorola, LG, and Samsung were the first vendors to jump in, only users with the more expensive phones have seen the so-called monthly updates, if any. (Source)

According to the latest official Android distribution figures (December 2015), Android M just hit the 0,5% mark (very low), while Lollipop reached the 29,5% and KitKat still dominates with a solid 36,6%. Even the dated JellyBean, with all its variations, has a 26,9% distribution share.

If Lollipop 5.1.1 had 5 vulnerabilities out of 26 possible, I wonder how the lower, older versions, would fare against the VST tool.

Sope 28. Dec 2015 08:27 PM

Quote:

Originally Posted by IO.Hazard (Post 115869)
Nothing to worry about. The app uses the same procedure a malicious tool would (in this case the infamous Stagefright vulnerability) but only to explore if the phone is vulnerable or not. It will not tamper with your phone in any way. The VTS Tool is open-source, so anyone can audit the code and report possible backdoors.

Thanks for that.

Anupam 29. Dec 2015 09:24 AM

Good points IO.Hazard. And quite some points of concern there for the end users. First, they have to wait a really long time for any update, and then security patches being provided only to flagship devices is just not fair.

Sope 29. Dec 2015 10:26 AM

My phone running ICS 4.0.9 has 14 vulnerabilities according to the VTS Tool :eek:

I am looking to upgrade soon (long overdue :rolleyes:) but it sounds like that still won't guarantee reliable security. Not that I've ever trusted using my phone for sensitive stuff like online banking and such.

UserError 22. Jan 2016 05:01 AM

Just installed the app from the official link. My phone is on KitKat 4.4.4 and 10 vulnerabilities were detected, too bad. All of them are 'serious' and my phone is stuck with this android version.

Google should have implemented 'granular system updates' the same way it did with the permissions. That way you could patch the system without the need of big, updated firmwares.

BTW, this screen got my attention during the installation:

http://i66.tinypic.com/2944cvp.jpg

Is that a confirmation that antivirus apps are just a waste internal storage, battery life, and other valuables system resources? If a serious developer like this one states this, I think I should listen to him.

Burn-IT 23. Jan 2016 12:00 AM

Using your phone makes you less secure! Fact
But that comment may actually be true under many circumstances.

Relying on AV to keep your phone safe is not a good idea. You should still be careful what sites you visit.
AV will help to reduce the likelihood of getting a virus by accident, but if you visit iffy sites then it won't stop al of them.

trainman261 23. Jan 2016 03:26 PM

I'll jump in on the whole antivirus thing - and I'll go out on a limb and say it's not necessary. Here's why:
1. Android already has a certain security mechanism built-in - it does, as far as I know, scan apps when they are installed.
2. If you stick to the Google Play Store or another reliable app store, you should be fine when it comes to avoiding viruses, if you take a look at what you download and don't just download an app from a random developer with 100 downloads and 10 bad reviews.
3. You can't run APKs on Android the way you can run EXEs on a Windows computer. On a Windows computer, any EXE can run without being installed, and it has access to a lot of stuff, if it wants to access it, even without administrator privileges. On the other hand, an APK can't run without being installed - and when it is installed, it's not the APK providing the installation interface, it's the system (which is why there aren't all the problems with installer crapware on Android), so the user explicitly presses the install button, which is right under the list of permissions it will get if installed - and the app will only be able to use those services. The only way it can get around that is by using an exploit - which is where the whole topic started - but at that point, it shouldn't have a problem getting around the antivirus either, especially since antivirus on Android doesn't have quite the capabilities of Antivirus on Windows, for example.

J_L 25. Jan 2016 03:37 AM

All true, but I have an AV simply because mistakes can be made and it comes with the anti-theft (unfortunately, Google's doesn't take pictures or some other advanced features).

Burn-IT 25. Jan 2016 01:28 PM

Since when has asking permission to install been protection.
You know damn well that if you start to install an application you will just OK any requests without even reading most of them.
I cannot imagine most users even understanding the questions never mind appreciating the consequences of their answers.!!

UserError 25. Jan 2016 03:56 PM

trainman261, I agree with you. I've decided to ditch the antivirus app on my phone for good, and I don't see any big difference. However, I've decided to change a lot of settings and disable 'unknown sources', 'USB debugging', and re-enabled the 'scan device for security threats' and 'improve harmful app detection' options.

I went as far as trying to install an APK from a known badware site and the installation was blocked by Android. That was good enough for me, no more sideloading.

trainman261 29. Jan 2016 04:47 PM

Quote:

Originally Posted by Burn-IT (Post 116354)
Since when has asking permission to install been protection.
You know damn well that if you start to install an application you will just OK any requests without even reading most of them.
I cannot imagine most users even understanding the questions never mind appreciating the consequences of their answers.!!

Well if you ask me, the permissions aren't super complicated. Sure, some advanced permissions might be hard for the user to understand, but most of the basics (e.g. camera use, microphone use, internet access) are pretty self explanatory.
Also, there is no protection against ignorance - not even an AV can protect you against that. I just can't help but think of this:
Quote:

Googles "Free Movies"
Clicks on a website that seems legit
firefox warns the website is a reported attack site
Clicks anyway, enters website
Clicks a banner that's blinking and flashing different colours that says "DOWNLOAD NOW"
freemovie.exe starts downloading
download finishes
Anti-virus picks it up and deletes it
Right clicks -> disables Antivirus
Downloads again
Opens it up
Windows defender picks it up and deletes
Disables Windows Defender
Downloads and opens it up again
Now Windows UAC asks if you want to trust the file due to possibility of .exe files being viruses
Clicks "YES"
Computer infected with tons of malware and viruses
"Man! Screw PCs, they are so prone to viruses! I'm buying a mac!"
Now, sure, that's an exaggeration, but the point is that a little bit of common sense is required when you're using a computer or a phone.


All times are GMT +1. The time now is 06:08 PM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2021, vBulletin Solutions, Inc.