Monthly Archives: November 2013

New ApkScan features

We are happy to introduce some new features to NVISO ApkScan today! We are excited to announce the following changes:

New features

  • The Sandbox is now using Android 4.1 emulators, instead of the Android 2.3 emulators. We are using a Nexus 4 image to ensure we can run as much samples as possible that make use of more recent API’s.
  • Besides user-uploaded samples, we are now automatically analyzing samples submitted to a range of Android app stores. This ensures that our workers are never “idle” waiting for new samples submitted by users (although your uploaded samples will always get priority in the queue!). On the report overview page, you can now select “app market samples” in the filter at the top to see the results of these scans. More information and support for such integration with app markets will follow soon and will be announced here.
  • New in the scan reports: see which services were started by the scanned application.
  • New in the scan reports: see which files were accessed by the scanned application.
  • New in the scan reports: sections that might indicate malicious behavior are now highlighted with an animation, so you can easily spot them.
  • New in the scan reports: you can now see from where (the website or an app market) and when, a sample was uploaded on the website (section “Origin” at the top of the report). 

Improvements

  • The operation through which information was leaked, is now being reported.
  • Significant speed improvements during the dynamic analysis phase. This should make your scans run faster.
  • Report generation is now offloaded to the web server instead of the lab workers, giving the lab workers more time to do what they do best: analyze samples. This should make your scans run faster.
  • The section on the cryptographic activity has been split up into three sub-sections to make the report more readable: used encryption keys, encryption operations and decryption operations are each reported individually.
  • Interaction with the Google Safe Browsing API has been made more reliable and should return with more accurate results.

Bug Fixes

  • Fixed a bug where reports were not listed in the correct order on the report overview page.
  • Fixed a bug where the interactive search functionality on the report overview page would sometimes stop working after a few keystrokes.
  • Fixed a bug where samples were sometimes uploaded twice when being dropped into the upload area.
  • More than 20 minor bugfixes.

Check out the new version of NVISO ApkScan at http://apkscan.nviso.be. You can find a sample report of an analyzed application here: http://apkscan.nviso.be/report/show/aabdfae011e3e9cfc3519520350b0641 

Stay tuned, as we will be adding more features to NVISO ApkScan in the near future!
Daan

My internship at NVISO

Introduction

Hey, my name is David De Lille, I’m a student in computer engineering at the university of Ghent, and I just finished an internship at NVISO. In this blog post, I want to give a quick roundup of how I experienced my 6 weeks as an intern at NVISO.

Why NVISO?

I kind of stumbled into my internship. Daan Raman, an alumni of UGent, came to give a presentation about Metasploit at our university. Knowing that NVISO also supports theses, I went up to him after the talk and asked him about the possibility of an internship and it all went from there. Looking back, it was clearly the right choice.

Details of the internships

Despite them not having prepared or had any internships before, they came up with a really good offer, which included a lot less making coffee than I had expected. Basically, NVISO split up the internship of 6 weeks into 3 parts, to give me a taste of the different aspects of the work done at the company.

In the first part, I got to join the NVISO team on a field job. They took me along on an actual pentest and had me look for rogue access points, unauthorized modems that allow an attacker to access the internal network of a company, using a high-powered WiFi antenna. I also got to manage a rented Amazon server that was used to crack a long list of password hashes that were discovered during the tests.

For the second part of the internship, I was given a small project to develop software to complement their existing security research. If you’ve read the previous blog posts, you’ll know all about ApkScan. In the way that ApkScan currently works, all the suspect files have to be uploaded manually by users, which means the server is often idling. To prevent this, I had to implement a script that can automatically retrieve samples of Android applications and forward it to the ApkScan server.

Finally, the last part focused on helping to organize a hacking challenge for the security conference BruCON 2013, which happened in September. The goal was to test a participants’ hacking skills in the form of a contest. Each person would get a certain amount of time to complete a set of tasks. Correctly completing each task awarded the player some points a bit of extra time. At the end of the conference, the top 4 hackers won a Raspberry PI!

conclusions

I had a lot of fun doing this internship and highly recommend it to every student who has room for it in his/her curriculum. I got a taste of what it’s like working for a security firm and gained some valuable experience in all 3 parts of my internship.