DARPA-funded app shows you the security holes on your Android device

July 24, 2012
18 37 12 3

X-Ray for Android

A new Android application, developed with funding from DARPA, aims to show users precisely what security holes there are on their Android devices.

Called X-Ray, the app was created by Duo Security, and is now available for download at XRay.io as a standalone APK. What X-Ray does is analyze your Android system and look for known vulnerabilities, including privilege escalation bugs. According to X-Ray,

Such vulnerabilities can be exploited by a malicious application to gain root privileges on a device and perform actions that would normally be restricted by the Android operating system. A number of such vulnerabilities have been discovered in the core Android platform, affecting nearly all Android devices. Even more have been discovered in manufacturer-specific extensions that may affect a smaller subset of Android users. Unfortunately, many of these privilege escalation vulnerabilities remain unpatched on large populations of Android devices despite being several years old.”

X-Ray is not an antivirus app, so it won’t attempt to identify malware-ridden apps. Instead, the app looks at the system and identifies the holes that attackers might take advantage of to compromise your Android device. Many of the holes are well-known in the world of security researchers, yet carriers do little to patch them. For instance, the GingerBreak vulnerability, found in Android 2.3 Gingerbread (the most prevalent Android flavor today), is a well-known bug that has been commonly abused by digital wrongdoers for more than 18 months.

Unfortunately, X-Ray will not fix the vulnerabilities it identifies on your smartphone or tablet. The app simply tells you that your device is exposed and recommends contacting your carrier or applying a safer variant of Android yourself, such as the CyanogenMod custom ROM.

While not offering remedies to the problems it signals, I think that Duo Security should be commended for the effort it put into highlighting the serious problem that is mobile security today. Check out the app from the link in the source, and let us know your opinion.

Comments

  • anon

    I’m on CM9 RC1 and X-Ray didn’t pick up any vulnerabilities, sweet!

  • http://twitter.com/dconvery David Convery

    1st rule of security = never download apps from independent sites….

    • Don Joe

      Except the founders of Duo Security are two extremely well known and respected security researchers. http://www.duosecurity.com/about It would be like if Linus Torvalds released an app and decided not to release it on Google Play.