androwarn icon indicating copy to clipboard operation
androwarn copied to clipboard

Published 20 hours ago verified publisher icon maaaaz

Feature Request: Display risk score

Open StephenQuirolgico opened this issue 5 years ago • 4 comments

Is it possible to add an overall Risk Score to Androwarn? I think this would greatly increase its value, particularly with MDM/EMM analysts that are responsible for ensuring the safety of apps on their organization's devices, but that do not have the expertise to know if a vulnerability detected by Androwarn is low, medium, high or critical risk. For most other Android static analyzers, the Common Vulnerability Scoring System (CVSS) is the standard used for describing risk. It seems that it would be a relatively light lift to add a CVSS score for the overall risk, as well as possibly for each of the underlying vulnerability categories. We are currently using Androwarn but its lack of risk scores is making its continued use less likely.

StephenQuirolgico avatar Aug 24 '19 13:08 StephenQuirolgico

I'm also using androwarn to anlyze apks for now , and notice you said other android static analyzers can support CVSS. I wonder if you can mention some open-source examples. Thanks very much.

richardPang517 avatar Aug 28 '19 07:08 richardPang517

Hi Richard,

MobSF is an open source Android and iOS analyzer that uses CVSS 2.0.

https://github.com/MobSF/Mobile-Security-Framework-MobSF

Steve

On Wed, Aug 28, 2019 at 3:43 AM richardPang517 [email protected] wrote:

I'm also using androwarn to anlyze apks for now , and notice you said other android static analyzers can support CVSS. I wonder if you can mention some open-source examples. Thanks very much.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/maaaaz/androwarn/issues/20?email_source=notifications&email_token=ABF6RLPKEZ3ZE7KQLFXDUD3QGYUDJA5CNFSM4IPGG332YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD5KGKZA#issuecomment-525624676, or mute the thread https://github.com/notifications/unsubscribe-auth/ABF6RLLM3CFNYXF2SMMUDADQGYUDJANCNFSM4IPGG33Q .

StephenQuirolgico avatar Aug 29 '19 00:08 StephenQuirolgico

thanks, I also noticed this MobSF tool and haven't research much on it. I found out androwarn cannot correctly analyze some modern apks, possiblely because of non-ascii characters(based on error info). Perhaps it's a bit too old with old python.

richardPang517 avatar Aug 29 '19 03:08 richardPang517

Androwarn was just updated to work with Python 3.

On Wednesday, August 28, 2019, richardPang517 [email protected] wrote:

thanks, I also noticed this MobSF tool and haven't research much on it. I found out androwarn cannot correctly analyze some modern apks, possiblely because of non-ascii characters(based on error info). Perhaps it's a bit too old with old python.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/maaaaz/androwarn/issues/20?email_source=notifications&email_token=ABF6RLP33OHD6I7TLEUB66DQG43WPA5CNFSM4IPGG332YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD5NCHVQ#issuecomment-526001110, or mute the thread https://github.com/notifications/unsubscribe-auth/ABF6RLIHR2UF3KDGWKGZXPTQG43WPANCNFSM4IPGG33Q .

StephenQuirolgico avatar Aug 29 '19 03:08 StephenQuirolgico