[android-security-discuss] Any security patch scan tool available?

Discussion:

Anushree Ganjam

2015-10-27 05:57:59 UTC

Hi,
We all know many security patches will be released for android.
Is there any tool to check if the security patches are merged or not at the
code level?
So using this, we can make sure our code is up to date with all security
patches merged

Thanks

--
You received this message because you are subscribed to the Google Groups "Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+***@googlegroups.com.
Visit this group at http://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.

Stuart Small

2015-10-29 17:38:59 UTC

Permalink

I've been looking for one too. The best I've found is this
https://github.com/nowsecure/android-vts

It still has a long ways to go but its a start.

Kristian Erik Hermansen

2015-10-30 00:23:49 UTC

Permalink

Doesn't Tenable Nessus do this for most android firmware? You can try the
free version, but my guess is you need to spend around $3K to get the
professional version to scan mobile fully...

https://www.tenable.com/solutions/mobile-device-security

http://static.tenable.com/documentation/Nessus_and_Mobile.pdf

Post by Anushree Ganjam
Hi,
We all know many security patches will be released for android.
Is there any tool to check if the security patches are merged or not at
the code level?
So using this, we can make sure our code is up to date with all security
patches merged
Thanks
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an
.
Visit this group at
http://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.

--
Regards,

Kristian Erik Hermansen
https://www.linkedin.com/in/kristianhermansen
https://google.com/+KristianHermansen

Stuart Small

2015-10-30 19:46:20 UTC

Permalink

This was one of the tools I tried. It requires you to do the scan through
an MDM. I was having trouble getting the MDM set up and didn't go any
farther once I hit the issues. For what I saw it just gives you very high
level audit of what devices you have, some simple checks version numbers,
and configuration as reported by the MDM and not in-depth vulnerability
scanning. It looks like its geared more for an admin in a BYOD situation
than for a device integrator.

Post by Kristian Erik Hermansen
Doesn't Tenable Nessus do this for most android firmware? You can try the
free version, but my guess is you need to spend around $3K to get the
professional version to scan mobile fully...
https://www.tenable.com/solutions/mobile-device-security
http://static.tenable.com/documentation/Nessus_and_Mobile.pdf

Post by Anushree Ganjam
Hi,
We all know many security patches will be released for android.
Is there any tool to check if the security patches are merged or not at
the code level?
So using this, we can make sure our code is up to date with all security
patches merged
Thanks
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an
Visit this group at
http://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.

--
Regards,
Kristian Erik Hermansen
https://www.linkedin.com/in/kristianhermansen
https://google.com/+KristianHermansen

Anushree Ganjam

2015-10-31 06:48:26 UTC

Permalink

Hi Alan,
I want to scan for the patches on the code, not on the device.

Is there any way that you can suggest to scan the patches on the code.

Regards
Anushree

Post by Stuart Small
This was one of the tools I tried. It requires you to do the scan
through an MDM. I was having trouble getting the MDM set up and didn't go
any farther once I hit the issues. For what I saw it just gives you very
high level audit of what devices you have, some simple checks version
numbers, and configuration as reported by the MDM and not in-depth
vulnerability scanning. It looks like its geared more for an admin in a
BYOD situation than for a device integrator.

Post by Anushree Ganjam
Hi,
We all know many security patches will be released for android.
Is there any tool to check if the security patches are merged or not at
the code level?
So using this, we can make sure our code is up to date with all security
patches merged
Thanks
--
You received this message because you are subscribed to the Google
Groups "Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send
Visit this group at
http://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.

--
Regards,
Kristian Erik Hermansen
https://www.linkedin.com/in/kristianhermansen
https://google.com/+KristianHermansen

Blibbet

2015-10-31 21:37:08 UTC

Permalink

Post by Anushree Ganjam
We all know many security patches will be released for android.
Is there any tool to check if the security patches are merged or not at
the code level?
So using this, we can make sure our code is up to date with all security
patches merged

Have you looked at Linaro's LAVA?

LAVA is a continuous integration (CI) QA tool, for Linaro-compatible
hardware, including, Google Nexus devices, I think. And open source so
you can add support for more devices. Also you can access Intel and
other non-ARM hardware via QEMU, albeit only for virtualized devices.
You can install new system firmware (U-Boot, UEFI, etc.), run 'pre-OS'
tests, install new OS, and get results back. You can write new tests, so
presumably you could write the security tests you want, if they don't
already exist. Linaro uses Android and Linux (Ubuntu, OpenEmbedded) on
AArch32 and AArch64 systems, as well as other platforms via QEMU target
support.

validation.linaro.org

Suhail mohammed

2015-11-06 01:12:47 UTC

Permalink

Hi,

From the latest Google Security updates (Security Patch Level November),
Google does somewhat answer this question (below). Even though this did
work for, it does not list out all the patches incorporated on the device,
it just returns the current security patch on the device.
Common Questions and Answers

This section will review answers to common questions that may occur after
reading this bulletin.

1. How do I determine if my device is updated to address these issues?

Builds LMY48X or later and Android Marshmallow with Security Patch Level of
November 1, 2015 or later address these issues. Refer to the Nexus
documentation <https://support.google.com/nexus/answer/4457705> for
instructions on how to check the security patch level.* Device
manufacturers that include these updates should set the patch string level
to: [ro.build.version.security_patch]:[2015-11-01] *

hopefully it is helpful.