Difference between revisions of "OWASP SeraphimDroid Project"

From OWASP
Jump to: navigation, search
 
(47 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
=Main=
 
=Main=
  
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
+
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File:Incubator_big.jpg|link=OWASP_Project_Stages#tab=Incubator_Projects]]</div>
  
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
Line 7: Line 7:
  
 
==OWASP SeraphimDroid==
 
==OWASP SeraphimDroid==
 +
'''Mission:'''
  
SeraphimDroid is educational application for android devices that helps users learn about risks and threats coming from other android applications.  
+
''To create, as a community, an open platform for education and protection of Android users against privacy and security threats.''
 +
 
 +
OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks.
 +
 
 +
OWASP Seraphimdroid has two aims:
 +
* To protect user's privacy and secure the device against malicious features that may cost user money
 +
* To educate user about threats and risks for their privacy, privacy of their data and security of their device.
 +
 
 +
{|
 +
{{#ev:youtube|WccEBFaBXOw}}
 +
|}
 +
 
 +
 
 +
[[File:OWASPSeraphimdroid.png | 200px]]
  
 
==Introduction==
 
==Introduction==
  
SeraphimDroid is educational application for android devices that helps users learn about risks and threats coming from other android applications. SeraphimDroid scans your devices and teaches you about risks and threats coming from application permissions. Also this project will deliver paper on android permissions, their regular use, risks and malicious use. In second version SeraphimDroid will evolve to application firewall for android devices not allowing malicious SMS or MMS to be sent, USSD codes to be executed or calls to be called without user permission and knowledge.
+
Android users face many threats and risks. Since modern mobile devices are almost all the time exposed to the internet and other types of mobile networks, they are more exposed to the attacks. From the open WiFi networks that can be spoofed to the Trojan malware applications on the app stores, threats are everywhere around. Many of the attacks are successful because users are not aware of the risks and threats. They may act naive and expose themselves to the attacks even more. These attacks may lead to the identity theft, money theft, losing privacy or they devices may start acting as part of the botnet network.
  
Project development is done on GitHub: https://github.com/nikolamilosevic86/owasp-seraphimdroid
+
In order to prevent attacks on the users, this project aims to develop a set of guidelines and application that will ensure that users are using their devices in a secure manner. Project is and always will remain open for everyone to participate and all project deliverables will be free and open source.
  
  
 +
 +
Project development is done on GitHub: https://github.com/nikolamilosevic86/owasp-seraphimdroid
 +
 +
Release of OWASP Seraphimdroid is available on Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid
  
 
==Description==
 
==Description==
  
The aim of this project is to research all the risks coming from permissions and to actively alarm user of the application about those risks. Also, using different kind of heuristics SeraphimDroid application should keep user data and money safe. Application should prevent other applications to execute some action that cost money without user's knowledge and acknowledgement. At the later stage application should using heuristics act as anti malware application.
 
  
The secondary goal of the project is to publish documentation about researched topics, such as how can some permissions be misused, what are the heuristic approaches to prevent other application executing malicious actions etc.  
+
The aim of this project is to research all threats and risks for users of Android operating system. We want to develop, as a community an free and open source security and privacy protection application and a set of security guideline for Android users. The project tend to be research oriented and we are willing to innovate in Android security field using machine learning, heuristics and other innovative techniques in order to protect our users, their privacy and money. The project is community driven and everyone is open to participate. The main aim of OWASP SeraphimDroid application should keep user data and money safe.
  
 +
So far the main features include:
 +
* Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user.
 +
* Application and service locker. With OWASP Seraphimdroid, user may lock access to certain or to all of your applications and system services (WiFi, network, BlueTooth) with password
 +
* Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.
 +
* Outgoing call and SMS blocker. This feature will allow user to perform normally outgoing calls and SMS, but it will block outgoing calls and inform about outgoing SMS performed by trojan applications.
 +
* Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.
 +
* Remote location. If user lost your phone, he is able to send SMS with a defined secret code as a content and his phone and it will reply with the location coordinates of the device.
 +
* Remote lock and lock
  
 
==Licensing==
 
==Licensing==
Line 32: Line 57:
  
 
== What is OWASP SeraphimDroid? ==
 
== What is OWASP SeraphimDroid? ==
 +
* Free and open source project
 +
* Android security and privacy protection app
 +
* Educational platform (planned)
  
 
OWASP SeraphimDroid  provides:
 
OWASP SeraphimDroid  provides:
  
 
* Documentation on how Android permissions can be misused
 
* Documentation on how Android permissions can be misused
 +
* Security guide for Android users
 
* Security Android application
 
* Security Android application
 
* Application that keeps user secure and teaches him about risks
 
* Application that keeps user secure and teaches him about risks
  
 +
==Donate for OWASP Seraphimdroid==
 +
<paypal>OWASP Seraphimdroid project</paypal>
  
== Presentation ==
+
==Mailing list==
 
+
[https://lists.owasp.org/mailman/listinfo/owasp_seraphimdroid_project Project mailing list]
Currently there is no presentation available
+
 
+
  
  
 +
== Presentations ==
 +
* [http://www.slideshare.net/nikolamilosevic86/mobile-security-owasp-mobile-top-10-owasp-seraphimdroid OWASP Mobile Top 10 and OWASP Seraphimdroid], presented in OWASP Serbia local chapter on april 2015 meeting.
  
 
== Project Leader ==
 
== Project Leader ==
Line 56: Line 87:
 
* [[OWASP_Mobile_Project]]
 
* [[OWASP_Mobile_Project]]
  
 +
== Ohloh ==
  
 +
*https://www.ohloh.net/p/owasp-seraphimdroid
  
 
| valign="top"  style="padding-left:25px;width:200px;" |  
 
| valign="top"  style="padding-left:25px;width:200px;" |  
Line 62: Line 95:
 
== Quick Download ==
 
== Quick Download ==
  
* https://github.com/nikolamilosevic86/owasp-seraphimdroid
+
* Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid
 
+
* Code: https://github.com/nikolamilosevic86/owasp-seraphimdroid
 
+
* Documents and publications:
 
+
** [http://inspiratron.org/OWASPSeraphimdroid/SeraphimdroidDocumentation.pdf User guide and Documentation]  
== News and Events ==
+
** Article about android permissions, published by Digital Forensics magazine: http://inspiratron.org/AndroidSecurity.pdf
* [20 Nov 2013] Under development
+
 
+
 
+
 
+
== In Print ==
+
 
+
  
 
==Classifications==
 
==Classifications==
Line 89: Line 116:
  
 
|}
 
|}
 +
 +
= News and Events =
 +
*  (6.9.2015) New version (v2.0) of OWASP Seraphimdroid is released on  [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play store]. Blog post about new features can be [http://inspiratron.org/new-version-of-owasp-seraphimdroid-v2-0-is-published/ read here]
 +
*  (10.7.2015) OWASP Seraphimdroid is participating at [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWASP Summer Code Sprint 2015]
 +
*  (2.10.2014) OWASP Seraphimdroid was featured on a front page and interview with a project leader was published in Libre!, Serbian online magazine about open source. Issue 29 of the Libre! magazine, where the interview was published can be seen [https://libre.lugons.org/index.php/broj-29/ here]
 +
*  (5.9.2014) The first release of OWASP Seaphimdroid was released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play]. Blog post about features can be [http://inspiratron.org/owasp-seraphimdroid-android-security-published/ read here]
 +
*  (1.6.2014) OWASP Searaphimdroid participates on [https://www.google-melange.com/gsoc/project/details/google/gsoc2014/furquan/5639274879778816 Google Summer of Code] 
 +
*  (2.2.2014) Article about malicious use of Android permissions was published by Digital Forensics magazine. This paper was a result of research conducted on OWASP Seraphimdroid project. Article can be viewed [http://inspiratron.org/AndroidSecurity.pdf here]
 +
 +
=Features and Functionalities=
 +
==OWASP Seraphimdroid is==
 +
* Android application
 +
* Open source
 +
* Completely free (no paid for 'Pro' version)
 +
* Community based, with involvement actively encouraged
 +
* Under active development by an international team of volunteers
 +
 +
==OWASP Seraphimdroid has two aims:==
 +
* To protect user's privacy and secure the device against malicious features and threats
 +
* To educate user about threats and risks for their privacy, privacy of their data and security of their device.
 +
 +
==Features:==
 +
* Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user. Currently, we use SVM/SMO model trained on M0Droid malware/goodware dataset, which performed with accuracy of 88%.
 +
* Application locker. With OWASP Seraphimdroid, you may lock access to certain or to all of your application with password
 +
* Service locker. This feature enables user to lock usage of WiFi, mobile network and Bluetooth with a password.
 +
* Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.
 +
* Incoming SMS blocker. This feature will scan all incoming messages and alert user if it find in the content potential phishing
 +
* Outgoing SMS scanner. The application will monitor outgoing SMS and alert user if the some of the application is trying to send SMS. This is the usual scenario how malware creators earn money - by sending premium SMS messages.
 +
* Outgoing call blocker. This feature will allow you to perform normally outgoing calls, but it will block outgoing calls performed by other installed applications. Similarly to outgoing SMSes, this is the scenario malware creators use to earn money.
 +
* Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.
 +
* SIM change detector. Ask password when SIM card is changed in order to assure that the owner of the device is changing SIM card. Perfect for theft protection.
 +
* Remote location. If you lost your phone, you'll be able to send SMS with a defined secret code as a content and your phone will reply with the location coordinates of the device.
 +
* Remote lock. Similarly, you may lock your device using a message with secret code
 +
* Remote wipe. If your phone is stolen, you may send a message with secret code and wipe all user data from the phone.
  
 
=FAQs=
 
=FAQs=
  
; Q1
+
; Q1: '''What is OWASP Seraphimdroid?'''
: A1
+
: A1: OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks.
  
; Q2
+
; Q2: '''Does it requires device root access?'''
: A2
+
: A2: No. The application is designed in order to protect usual users, without any advanced skills (i.e. rooting the device).
  
 
= Acknowledgements =
 
= Acknowledgements =
==Volunteers==
+
==Volunteers and contributors==
 
OWASP SeraphimDroid is developed by a worldwide team of volunteers. The primary contributors to date have been:
 
OWASP SeraphimDroid is developed by a worldwide team of volunteers. The primary contributors to date have been:
  
Line 106: Line 167:
 
* Chetan Karande
 
* Chetan Karande
 
* Ali Tekeoglu
 
* Ali Tekeoglu
* Furquan Ahmed
+
* Furquan Ahmed
 +
* Kartik Kohli
 +
 
 +
==Corporate sponsors==
 +
 
 +
==Individual sponsors==
  
 
==Others==
 
==Others==
* xxx
 
  
 
= Road Map and Getting Involved =
 
= Road Map and Getting Involved =
As of SeraphimDroid, the priorities are:
+
===As of SeraphimDroid, the priorities are:===
 
* MVP development of Android security application with educational content
 
* MVP development of Android security application with educational content
 
* Documenting approaches taken during the development
 
* Documenting approaches taken during the development
Line 118: Line 183:
 
* Further development and improvement
 
* Further development and improvement
  
Involvement in the development and promotion of SeraphimDroid is actively encouraged!
+
'''Involvement in the development and promotion of SeraphimDroid is actively encouraged! You do not have to be a security expert in order to contribute.'''
You do not have to be a security expert in order to contribute.
+
 
Some of the ways you can help:
+
 
 +
===Some of the ways you can help:===
 
* Help coding open source security app
 
* Help coding open source security app
 
* Write project documentation
 
* Write project documentation
* Research possible permission misuse
+
* Help with marketing and reaching more users and contributors
 +
* Design logo or controls
 +
* Research possible permission misuse, models for fraud and spam detection, new anti-theft approaches
 +
* Just let us know what as a user you would like to see new or improved
  
If you want to contribute please contact project leader Nikola Milosevic [mailto:nikola.milosevic@owasp.org]
+
===Future development should include:===
 +
* Handling spam messages (SMS, MMS) in a better way
 +
* Developing Seraphimdroid as extendable platform with plugins made by other developers
 +
* Handling dangerous and malicious web pages while surfing
 +
* Advanced behavioral and machine learning based malware analysis
 +
* Developing educational content within the application
 +
* Advanced anti-theft and anti-loss measures
  
  
 +
If you want to contribute please contact project leader Nikola Milosevic [mailto:nikola.milosevic@owasp.org]
  
 
=Project About=
 
=Project About=

Latest revision as of 03:33, 29 November 2015

[edit]

Incubator big.jpg

OWASP SeraphimDroid

Mission:

To create, as a community, an open platform for education and protection of Android users against privacy and security threats.

OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks.

OWASP Seraphimdroid has two aims:

  • To protect user's privacy and secure the device against malicious features that may cost user money
  • To educate user about threats and risks for their privacy, privacy of their data and security of their device.


OWASPSeraphimdroid.png

Introduction

Android users face many threats and risks. Since modern mobile devices are almost all the time exposed to the internet and other types of mobile networks, they are more exposed to the attacks. From the open WiFi networks that can be spoofed to the Trojan malware applications on the app stores, threats are everywhere around. Many of the attacks are successful because users are not aware of the risks and threats. They may act naive and expose themselves to the attacks even more. These attacks may lead to the identity theft, money theft, losing privacy or they devices may start acting as part of the botnet network.

In order to prevent attacks on the users, this project aims to develop a set of guidelines and application that will ensure that users are using their devices in a secure manner. Project is and always will remain open for everyone to participate and all project deliverables will be free and open source.


Project development is done on GitHub: https://github.com/nikolamilosevic86/owasp-seraphimdroid

Release of OWASP Seraphimdroid is available on Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid

Description

The aim of this project is to research all threats and risks for users of Android operating system. We want to develop, as a community an free and open source security and privacy protection application and a set of security guideline for Android users. The project tend to be research oriented and we are willing to innovate in Android security field using machine learning, heuristics and other innovative techniques in order to protect our users, their privacy and money. The project is community driven and everyone is open to participate. The main aim of OWASP SeraphimDroid application should keep user data and money safe.

So far the main features include:

  • Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user.
  • Application and service locker. With OWASP Seraphimdroid, user may lock access to certain or to all of your applications and system services (WiFi, network, BlueTooth) with password
  • Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.
  • Outgoing call and SMS blocker. This feature will allow user to perform normally outgoing calls and SMS, but it will block outgoing calls and inform about outgoing SMS performed by trojan applications.
  • Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.
  • Remote location. If user lost your phone, he is able to send SMS with a defined secret code as a content and his phone and it will reply with the location coordinates of the device.
  • Remote lock and lock

Licensing

GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project)


What is OWASP SeraphimDroid?

  • Free and open source project
  • Android security and privacy protection app
  • Educational platform (planned)

OWASP SeraphimDroid provides:

  • Documentation on how Android permissions can be misused
  • Security guide for Android users
  • Security Android application
  • Application that keeps user secure and teaches him about risks

funds to OWASP earmarked for OWASP Seraphimdroid project.

Mailing list

Project mailing list


Presentations

Project Leader

Nikola Milosevic [1]


Related Projects

Ohloh

Quick Download

Classifications

Owasp-labs-trans-85.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files CODE.jpg

  • (6.9.2015) New version (v2.0) of OWASP Seraphimdroid is released on Google play store. Blog post about new features can be read here
  • (10.7.2015) OWASP Seraphimdroid is participating at OWASP Summer Code Sprint 2015
  • (2.10.2014) OWASP Seraphimdroid was featured on a front page and interview with a project leader was published in Libre!, Serbian online magazine about open source. Issue 29 of the Libre! magazine, where the interview was published can be seen here
  • (5.9.2014) The first release of OWASP Seaphimdroid was released on Google play. Blog post about features can be read here
  • (1.6.2014) OWASP Searaphimdroid participates on Google Summer of Code
  • (2.2.2014) Article about malicious use of Android permissions was published by Digital Forensics magazine. This paper was a result of research conducted on OWASP Seraphimdroid project. Article can be viewed here

OWASP Seraphimdroid is

  • Android application
  • Open source
  • Completely free (no paid for 'Pro' version)
  • Community based, with involvement actively encouraged
  • Under active development by an international team of volunteers

OWASP Seraphimdroid has two aims:

  • To protect user's privacy and secure the device against malicious features and threats
  • To educate user about threats and risks for their privacy, privacy of their data and security of their device.

Features:

  • Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user. Currently, we use SVM/SMO model trained on M0Droid malware/goodware dataset, which performed with accuracy of 88%.
  • Application locker. With OWASP Seraphimdroid, you may lock access to certain or to all of your application with password
  • Service locker. This feature enables user to lock usage of WiFi, mobile network and Bluetooth with a password.
  • Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.
  • Incoming SMS blocker. This feature will scan all incoming messages and alert user if it find in the content potential phishing
  • Outgoing SMS scanner. The application will monitor outgoing SMS and alert user if the some of the application is trying to send SMS. This is the usual scenario how malware creators earn money - by sending premium SMS messages.
  • Outgoing call blocker. This feature will allow you to perform normally outgoing calls, but it will block outgoing calls performed by other installed applications. Similarly to outgoing SMSes, this is the scenario malware creators use to earn money.
  • Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.
  • SIM change detector. Ask password when SIM card is changed in order to assure that the owner of the device is changing SIM card. Perfect for theft protection.
  • Remote location. If you lost your phone, you'll be able to send SMS with a defined secret code as a content and your phone will reply with the location coordinates of the device.
  • Remote lock. Similarly, you may lock your device using a message with secret code
  • Remote wipe. If your phone is stolen, you may send a message with secret code and wipe all user data from the phone.

Q1
What is OWASP Seraphimdroid?
A1: OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks.
Q2
Does it requires device root access?
A2: No. The application is designed in order to protect usual users, without any advanced skills (i.e. rooting the device).

Volunteers and contributors

OWASP SeraphimDroid is developed by a worldwide team of volunteers. The primary contributors to date have been:

  • Nikola Milosevic
  • Aleksandar Abu Samra
  • Chetan Karande
  • Ali Tekeoglu
  • Furquan Ahmed
  • Kartik Kohli

Corporate sponsors

Individual sponsors

Others

As of SeraphimDroid, the priorities are:

  • MVP development of Android security application with educational content
  • Documenting approaches taken during the development
  • Try to publish some papers
  • Further development and improvement

Involvement in the development and promotion of SeraphimDroid is actively encouraged! You do not have to be a security expert in order to contribute.


Some of the ways you can help:

  • Help coding open source security app
  • Write project documentation
  • Help with marketing and reaching more users and contributors
  • Design logo or controls
  • Research possible permission misuse, models for fraud and spam detection, new anti-theft approaches
  • Just let us know what as a user you would like to see new or improved

Future development should include:

  • Handling spam messages (SMS, MMS) in a better way
  • Developing Seraphimdroid as extendable platform with plugins made by other developers
  • Handling dangerous and malicious web pages while surfing
  • Advanced behavioral and machine learning based malware analysis
  • Developing educational content within the application
  • Advanced anti-theft and anti-loss measures


If you want to contribute please contact project leader Nikola Milosevic [2]

PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP SeraphimDroid Project (home page)
Purpose: OWASP Seraphimdroid is a privacy and security protection app for Android devices with educational dimension. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks. The educational dimension of the project is to teach users about and point out the threats and risks in mobile security.

Project development is done on GitHub: https://github.com/nikolamilosevic86/owasp-seraphimdroid

License: GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project)
who is working on this project?
Project Leader(s):
  • Nikola Milošević @
Project Contributor(s):
  • Aleksandar Abu Samra
  • Chetan Karande
  • Ali Tekeoglu
  • Furquan Ahmed
  • Kartik Kohli
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Key Contacts
  • Contact Nikola Milošević @ to contribute to this project
  • Contact Nikola Milošević @ to review or sponsor this project
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
Google Play

GitHub

last reviewed release
Not Yet Reviewed


other releases