Mobile antivirus epic fail and how SeraphimDroid & ZAP can help

17 views

Skip to first unread message

johanna curiel curiel

unread,

Sep 15, 2016, 2:44:59 PM9/15/16

to OWASP Seraphimdroid, OWASP ZAP Evangelists Group, zaproxy...@googlegroups.com, owasp-...@lists.owasp.org

Hi Zap and Seraphimdroid team

Recently I wrote an article regarding the security of mobile antivirus:

http://techbeacon.com/mobile-antivirus-introduces-vulnerability-how-devops-could-have-stopped-mess

Many OWASP resources and projects are actually mentioned as resources for proper development lifecycle. Zap among others

I'm conducting a research on automation of apps security testing and one of the apps I will be testing is Seraphimdroid.

I'll be using ZAP for the testing certain areas of the application and ZEST scripts.

@Seraphimdroid team: I think , based on the mobile fiasco, if SeraphimDroid enhances his security testing , patching the issues found, including a Bug Bounty program, we will have a more secure app than any anti-virus and for free ;-P

Right now I have a draft of the areas ZAP helps testing mobile apps:

https://docs.google.com/document/d/1PdkvNh0SOy5fSIcmkuDMNCNxvlKRpdFseFX_lnoJUfg/edit?usp=sharing

If you have any ideas, feel free to feedback

Johanna Curiel

johanna curiel curiel

unread,

Sep 19, 2016, 2:44:58 PM9/19/16

to Nikola Milosevic, OWASP Seraphimdroid, OWASP ZAP Evangelists Group, zaproxy...@googlegroups.com, owasp-...@lists.owasp.org

Hi Nikola,

Thanks for the feedback. Indeed, the testing will involved a lot more than just using ZAP for insecure communications and some of the Top ten mobile risks.

Tools such as Cydia Substrate, Xposed and Apktool among others will be used during the research/testing.

I definitely will be testing SeraphimDroid and submit the found issues.

Cheers

Johanna

On Mon, Sep 19, 2016 at 7:57 AM, Nikola Milosevic <nikola.mi...@gmail.com> wrote:

Hello Johanna,

Sorry for the quite late reply. The things you stated and the research you mentioned pointed out is quite interesting and quite a good field to promote ourselves probably. However, ZAP is definitely better suited for testing apps. We can do some heuristics and scans, but on the app side we are unable to scan code and find most of the issues from OWASP Mobile Top 10. What we most definitely should do is make app secure. If we can do also some basic scans for insecure apps, that is also quite a good idea for some future development. Thank you for sharing the article, also if you have further ideas for the Seraphimdroid side, I am happy to listen.

Best regards,

Nikola Milošević

_______________________________________________
Owasp_seraphimdroid_project mailing list
Owasp_seraphimdroid_project@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp_seraphimdroid_project

Johanna Curiel

OWASP Volunteer

Reply all

Reply to author

Forward

0 new messages