FoxMagiskModuleManager
FoxMagiskModuleManager copied to clipboard
Fox2Code
Security
Is your feature request related to a problem? Please describe. Yes and no i guess because i feel paranoid when downloading from third party modules from sites
Describe the solution you'd like A built in virustotal scanner
Describe alternatives you've considered Ah there is none guess but AppManager has a virustotal scanner and u can scan apps using ur own api key
Additional context Add any other context or screenshots about the feature request here.
Might be very hard to implement, also that Androidacy don't give zip file right away is a problem for that.
I already plan to add a basic antivirus to the app in the long term to avoid installing malware.
We already check zip files in the background on the API. It's a matter of exposing those checks on the frontend.
Might be very hard to implement, also that Androidacy don't give zip file right away is a problem for that.
@Fox2Code
This app allows to scan apps using virustotal.Maybe you can use this for help.
https://github.com/MuntashirAkon/AppManager
We've started exposing VirusTotal results on the module page. It may take a couple days to get results for all modules because VirusTotal has ridiculous quotas if you don't pay hundreds of dollars a month for a premium api key
We've started exposing VirusTotal results on the module page. It may take a couple days to get results for all modules because VirusTotal has ridiculous quotas if you don't pay hundreds of dollars a month for a premium api key
Why not let the users use there own api key and scan the files by themselves This app let us use our own api key
https://github.com/MuntashirAkon/AppManager
That almost entirely defeats the purpose of using server side scanning, and requires users to create an account to get an API key. Our way, they'll know if a module is clean before even downloading it, and without them having to create a VirusTotal account
Tl;Dr: convenience for users
That almost entirely defeats the purpose of using server side scanning, and requires users to create an account to get an API key. Our way, they'll know if a module is clean before even downloading it, and without them having to create a VirusTotal account
Tl;Dr: convenience for users
Is'nt it better to test it ourself to make sure there were no mitm attacks and for sureness because we are running this zip files at root level. A simple virus can destroy the whole system.
also that Androidacy don't give zip file right away is a problem for that.
First we download the zip file in a specified location then we scan the same file i guess
If you make most people do it themselves (i.e., get the API key themselves) they just won't do it, which is no good.
Your suggestion is barely any better than just going to virustotal.com and submitting the zip yourself - which is always an option.
If you make most people do it themselves (i.e., get the API key themselves) they just won't do it, which is no good.
Your suggestion is barely any better than just going to virustotal.com and submitting the zip yourself - which is always an option.
Why not make it optional to add own api key? For people who cares about security at most . And why dont we keep both server side and user side
Of course it would be optional it's not like fox is going to force people to use a key to install, but I'm saying doing it the way your suggesting has no advantage over asking the user to manually check via the website.
You guys will have a report and for sure we will scan it by ourselves. why should we trust your reports? Just for self confidence
Our report has a link to the virus total scan page, which will allow you to verify the same file the report was generated for is the one you downloaded.
Of course it would be optional it's not like fox is going to force people to use a key to install, but I'm saying doing it the way your suggesting has no advantage over asking the user to manually check via the website.
So the user will have to locate the zip file and go to virustotal.com then scan it . Isnt it better to keep it in one screen
It's more in-app clutter for the few users that will use it.
Any solution, virus total or not, should be there, easily accessible, and require no user configuration. If you need verification beyond that, chances are, you're already taking the extra steps.
At any rate I have to chase down a bug that's causing files to never get submitted on our end. 🏃♀️
are,you're already taking the extra steps.
people who cares about security at most will take the extra steps
That's the point most people really don't. They see module, they flash module, to put it bluntly.
I see your point, I really do, but it's just not a feature most users will go through the trouble to use.
The https://github.com/MuntashirAkon/AppManager even has a built in tracker virustotal issuer signer etc scanner for security and i think foxmmm should also have all this
No, that doesn't even make sense.
Fyi I use that particular app, it's an excellent app, but it's not a good example of what FoxMMM should do, since it serves an entirely different purpose.
No, that doesn't even make sense.
Fyi I use that particular app, it's an excellent app, but it's not a good example of what FoxMMM should do, since it serves an entirely different purpose.
I guess ur right it doesnt need all but i would like the virustotal and the tracker one becuse some modules does download apps
That's the point most people really don't. They see module, they flash module, to put it bluntly.
I see your point, I really do, but it's just not a feature most users will go through the trouble to use.
People who cares will put every shit they find on the web through virustotal . Im not saying every user will do this but people who knows and cares about security will do so .
@Raif1 as VirusTotal seems too much work for too little, I put you in charge of doing the initial VirusTotal integration.
Off course I will help with bug fixes once you finished the initial implementation and submitted your pull request for review.
Also you are not forced to do it at all if you think it's a bad idea, but sadly I don't have the time to implement this.
@Raif1 as VirusTotal seems too much work for too little, I put you in charge of doing the initial VirusTotal integration.
Off course I will help with bug fixes once you finished the initial implementation and submitted your pull request for review.
Also you are not forced to do it at all if you think it's a bad idea, but sadly I don't have the time to implement this.
What do you plan for security at the user side for the time being ?
Most files in the Androidacy Repository should now have a virustotal status and a link to the scan results on the predownload dialogue.
It gets marked as suspicious if more than one engine funds it suspicious, and malicious if more than one engine funds it malicious OR one engine finds it malicious and another finds it suspicious. Otherwise it gets a Clean label. Or if we don't have results yet, it's Unknown.
We're open to suggestions on how we can improve this, and we are planning on exposing this information via API.
Most files in the Androidacy Repository should now have a virustotal status and a link to the scan results on the predownload dialogue.
It gets marked as suspicious if more than one engine funds it suspicious, and malicious if more than one engine funds it malicious OR one engine finds it malicious and another finds it suspicious. Otherwise it gets a Clean label. Or if we don't have results yet, it's Unknown.
We're open to suggestions on how we can improve this, and we are planning on exposing this information via API.
Add a label which indicates if a module contains proprietary code.like adding a danger type sign or something like that.
Most files in the Androidacy Repository should now have a virustotal status and a link to the scan results on the predownload dialogue. It gets marked as suspicious if more than one engine funds it suspicious, and malicious if more than one engine funds it malicious OR one engine finds it malicious and another finds it suspicious. Otherwise it gets a Clean label. Or if we don't have results yet, it's Unknown. We're open to suggestions on how we can improve this, and we are planning on exposing this information via API.
Add a label which indicates if a module contains proprietary code.like adding a danger type sign or something like that.
That is extremely hard to automatically detect, and would require quite a bit of human intervention, and as such is currently not on the roadmap.
The VirusTotal scan contains the SHA-256 of the file scanned, so it is enough if the FoxMMM calculate the hash of the zip after the downloading it (and before running it) and compare with the one of the VirusTotal scan to make sure the file isn't "changed" during download.
@ale5000-git well the problem is what I do after that? The step you a referring to is just before the file get patched for install. And VirusTotal isn't 100% accurate because it use 3rd part anti viruses, so it would suck to completely prevent install.