2

What methods are there to programmatically detect vulnerabilities within an Android O.S? which could lead to DoS, Code Execution, Overflow, Memory Corruption attacks etc.

I'm not wanting to know how to perform the above attacks, instead I'd like to know how I can verify programatically whether the flaws required to perform attacks like the above exist within a user's O.S

  • If you want to perform the check from within an app you will fail as an app has very limited system access. Some vulnerabilities may be detectable be reading and checking the OS library files but not all are readable by an app. – Robert Apr 30 '15 at 15:12
  • In regard to what you've described, how can I perform the check on the limited system access, I currently have? –  Apr 30 '15 at 15:53
  • First, "What methods are there" type questions are **generally off-topic** here. But more specifically, this question is *fatally naive* - applications do not realistically audit operating system *binaries* beyond checking for known issues. Really auditing code quality is either a state-of-the art automation task with dubious coverage, or an exercise is human eyeball expertise. **Fundamentally, if there was an effective, ready-to-go codebase you could just build into your app to throw at the problem, don't you think that Android integrators would already be running it themselves?** – Chris Stratton Apr 30 '15 at 19:28

2 Answers2

1

do you know a method to where in, I can write a piece of code within Android, to scan through a user's O.S for flaws which can lead toward a DoS attack etc.?

Assuming you want code that detects these vulnerabilities, it wouldn't make sense because why wouldn't Google's world class engineers run this code to detect these vulnerabilities themselves?

I think the best way to approach your problem is map known vulnerabilities (perhaps this may help) to versions of Android prior to that patch.

Therefore your code simply detects the user's Android version, and lists previously discovered vulnerabilities.

This isn't a silver bullet solution however because just because a security vulnerability was fixed in 4.1, doesn't mean it existed in all previous version of Android. Maybe it was only 4.0 that was vulnerable.

EDIT:

Here is a website that may help you in mapping vulnerabilities to Android versions.

Martin Konecny
  • 57,827
  • 19
  • 139
  • 159
0

I am affraid that you have to learn some basic things about exploitation before you are asking something like this. If so, then you would reformed you question in order not to be so contradictory.

  1. There is no special "member function" to use to perform s/w strength test and
  2. There is no an efficient way to check for s/w system security without performing (even in a simulation level) an attack...

You have to learn about basic exploitation, tcp architecture and of course a programming language to program you attack tests.

fmo, java is fine for this, and WORKS on android devices.

But, if you look for a dedicated (and more hardcore) tool, that also supports programming, then read this.

Community
  • 1
  • 1
Andreas Venieris
  • 452
  • 3
  • 15