[Discussion] Create an Android VTS Check library

[SandroMachado]

My suggestion is to create and Android VTS Check library that can be used by other developers of the other applications that use sensitive data to detect if the device it is trustable or not.

This application will be only an interface to that library, and will provide the test results to the users who want to know if their devices are secure.

Something like SafetyNet available thought the Google Play Service. A library that just tell the user if the device is safe or not.

This is just some food for thought...

[Fuzion24]

@psm14 may have some thoughts here. I believe he wanted to use VTS for a similar purpose as well.

On understanding why SafetyNet is a trainwreck: https://twitter.com/ikoz/status/660599232601174018

It is very difficult to test for these vulnerabilities without introducing some type of system instability. We've done our best to avoid this, but still see crashes on obscure devices that hit edge cases we hadn't thought of.

I think you probably would also want to step back and think about why you are doing something like this. As I am not entirely sure this would be to the benefit of the end user to prevent an application from running if the device is unpatched. Maybe even a dialog/warning notifying the user on install that the device could be putting their data/usage of this app at risk.

Maybe a better solution here would be to have an open database with vulnerability statistics. Then an application could use a key/tuple made of model,build,kernel version, etc.. to query the database to determine whether there are flaws with the device.

[SandroMachado]

I totally agree with you.

Including some of this code/files used to test the vulnerabilities can lead to false positives scans on some antivirus, cause instability...etc

Probably the best solution will be create an open database with this vulnerability statistics.

BTW, that twitter thread is really good...much better than a lot of blog posts about Safetynet. Thanks for sharing.