duo-labs/xray duo-labs/xray

  • This repository has been archived on 01/Apr/2020
  • Stars
    star
    122
  • Rank 285,823 (Top 6 %)
  • Language
    Java
  • Created over 8 years ago
  • Updated over 5 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
duo-labs/xray
github

duo-labs

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

X-Ray allows you to scan your Android device for security vulnerabilities that put your device at risk.

NOTE

X-Ray is no longer maintained by Duo Labs. This project will be archived 12/01/18.

X-Ray

X-Ray allows you to scan your Android device for security vulnerabilities that put your device at risk.

X-Ray Screenshot

X-Ray was developed by security researchers at Duo Security.

We hope that X-Ray will empower users with knowledge of vulnerabilities on their devices and allow them to take action to improve their security.

We encourage users to contact their carriers and ask for their devices to be patched.

What does X-Ray do?

X-Ray scans your Android device to determine whether there are vulnerabilities that remain unpatched by your carrier. The X-Ray app presents you with a list of vulnerabilities that it is able to identify and allows you to check for the presence of each vulnerability on your device.

X-Ray has detailed knowledge about a class of vulnerabilities known as "privilege escalation" vulnerabilities. Such vulnerabilities can be exploited by a malicious application to gain root privileges on a device and perform actions that would normally be restricted by the Android operating system. A number of such vulnerabilities have been discovered in the core Android platform, affecting nearly all Android devices. Even more have been discovered in manufacturer-specific extensions that may affect a smaller subset of Android users. Unfortunately, many of these privilege escalation vulnerabilities remain unpatched on large populations of Android devices despite being several years old.

Why are there unpatched vulnerabilities on my device?

First, the software underlying a modern mobile device is controlled by many parties. Google may be in charge of the base Android Open Source Project, but a typical device includes many different packages, drivers, and customizations from carriers, manufacturers, and other third-parties, not to mention all the open source components (Linux kernel, WebKit, libraries) owned by various project maintainers. When a vulnerability is discovered, coordinating with the responsible parties isn't a trivial task. You'd probably lose if you tried to play Six Degrees of Separation with the developer who introduced the vulnerability, and the party who's responsible for patching it.

Second, carriers can be slow and conservative to supply patches to their users. There is certainly a risk in supplying an update to millions of users, but that doesn't make it acceptable to continue to leave these users exposed to public vulnerabilities for months (or years). The current incentives are flawed: there's little motivation for carriers to put the effort into developing, testing, and deploying a patched version when the latest Android version is sitting on a new device ready for consumers to purchase.

Is it safe to run X-Ray?

Absolutely. Running X-Ray device will have no adverse effects on the security, stability, or performance of your device. X-Ray is installed and run just like any mobile application and requires no special privileges to operate. X-Ray is able to safely probe for the presence of a vulnerability without ever exploiting it.

What information does X-Ray collect from my device?

X-Ray collects information about your device, but not about you.

The collected information serves two purposes:

  • to determine whether your device is vulnerable, and
  • to collect statistics on just how many Android devices out there are vulnerable

This information is useful to apply pressure on carriers to actually fix the underlying problem, so your participation may end up improving the security of all Android users.

Specifically, X-Ray collects the version of your OS (e.g. 2.3.6), the make/model of your device (e.g. Samsung Nexus S), your carrier's name (e.g. T-Mobile), a randomly-generated device ID (eg. 9a17e3fedcde4695), and potentially vulnerable software components (eg. /system/bin/vold). The information collected will not be shared with any third-parties except in aggregate form (eg. a graph showing the total number of vulnerable devices).

Why is X-Ray not distributed through Google Play Store?

We definitely understand that users prefer to install apps from the Play Store, especially when they're security-related apps. Unfortunately, Google informed us that the terms of service of the Play Store disallow applications such as X-Ray that check for Android vulnerabilities.

Is X-Ray available for enterprise use?

Yes, the underlying technology that powers X-Ray can be deployed on an enterprise-wide level, giving you global visibility into vulnerabilities affecting your employees' mobile devices. Please contact [email protected] for more information.

What's the relation of this project to NowSecure VTS?

We originally wrote X-Ray a few years ago and did not continuously update it with new vulnerabilities. In late 2015, NowSecure released Android VTS as an open source project, which included several vulnerabilities X-Ray didn't test for, as well as a nicer test harness for implementing tests in a general way.

We decided to collaborate on their testing harness by porting our old tests to run on it, while maintaining and updating the X-Ray UI, which is targeted more towards average users, as opposed to VTS which targets a technical audience.

We aim to continue adding new vulnerabilities to X-Ray, along with pull requests to VTS so they can include them in their tool.

For more details, see our site.

More Repositories

1

cloudmapper

CloudMapper helps you analyze your Amazon Web Services (AWS) environments.
JavaScript
5,845
star
2

webauthn

WebAuthn (FIDO2) server library written in Go
Go
1,023
star
3

parliament

AWS IAM linting library
Python
986
star
4

cloudtracker

CloudTracker helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies.
Python
871
star
5

py_webauthn

Pythonic WebAuthn
Python
801
star
6

webauthn.io

The source code for webauthn.io, a demonstration of WebAuthn.
Python
619
star
7

EFIgy

A small client application that uses the Duo Labs EFIgy API to inform you about the state of your Mac EFI firmware
Python
508
star
8

dlint

Dlint is a tool for encouraging best coding practices and helping ensure we're writing secure Python code.
Python
331
star
9

markdown-to-confluence

Syncs Markdown files to Confluence
Python
294
star
10

isthislegit

Dashboard to collect, analyze, and respond to reported phishing emails.
Python
284
star
11

idapython

A collection of IDAPython modules made with πŸ’š by Duo Labs
Python
274
star
12

chrome-extension-boilerplate

Boilerplate code for a Chrome extension using TypeScript, React, and Webpack.
TypeScript
208
star
13

secret-bridge

Monitors Github for leaked secrets
Python
184
star
14

apple-t2-xpc

Tools to explore the XPC interface of Apple's T2 chip
Python
152
star
15

twitterbots

The code used in the "Don't @ Me: Hunting Twitter Bots at Scale" Black Hat presentation
Python
152
star
16

cloudtrail-partitioner

Python
147
star
17

phish-collect

Python script to hunt phishing kits
Python
136
star
18

phinn

A toolkit to generate an offline Chrome extension to detect phishing attacks using a bespoke convolutional neural network.
JavaScript
129
star
19

android-webauthn-authenticator

A WebAuthn Authenticator for Android leveraging hardware-backed key storage and biometric user verification.
Java
110
star
20

appsec-education

Presentations, training modules, and other education materials from Duo Security's Application Security team.
JavaScript
67
star
21

mysslstrip

CVE-2015-3152 PoC
Python
43
star
22

EFIgy-GUI

A Mac app that uses the Duo Labs EFIgy API to inform you about the state of your EFI firmware.
Objective-C
39
star
23

lookalike-domains

generate lookalike domains using a few simple techniques (homoglyphs, alt TLDs, prefix/suffix)
Python
30
star
24

journal

The boilerplate for a new Journal site
21
star
25

srtgen

Automatic '.srt' subtitle generator
Python
21
star
26

apk2java

Automatically decompile APK's using Docker
Dockerfile
21
star
27

neustar2mmdb

Tool to convert Neustar's GeoPoint data to Maxmind's GeoIP database format for ease of use.
Python
19
star
28

markflow

Make your Markdown sparkle!
Python
18
star
29

narrow

Low-effort reachability analysis for third-party code vulnerabilities.
Python
18
star
30

tutorials

Python
15
star
31

duo-blog-going-passwordless-with-py-webauthn

Python
14
star
32

datasci-ctf

A capture-the-flag exercise based on data analysis challenges
Jupyter Notebook
14
star
33

chain-of-fools

A set of tools that allow researchers to experiment with certificate chain validation issues
Python
13
star
34

sharedsignals

Python tools for using OpenID's Shared Signals Framework (including CAEP)
12
star
35

journal-cli

The command-line client for Journal
Jupyter Notebook
12
star
36

unmasking_data_leaks

The code from the talk "Unmasking Data Leaks: A Guide to Finding, Fixing, and Prevention" given at BSides SATX 2019.
Python
7
star
37

journal-theme

The Hugo theme that powers Journal
HTML
7
star
38

golang-workshop

Source files for a Golang Workshop
Go
5
star
39

journal-docs

The documentation for Journal
2
star
40

dlint-plugin-example

An example plugin for dlint
Python
2
star
41

vimes

A local DNS proxy based on CoreDNS.
Python
2
star
42

twitterbots-wallpapers

Wallpapers created from the crawlers in our "Don't @ Me" technical research paper
1
star
43

holidayhack-2019

Scripts and artifacts used to solve the 2019 SANS Holiday Hack Challenge
Python
1
star