Introducing Pwned Report
In this post, I will give introduction to Pwned Report. A side project I have been working on that scans your device for vulnerability or suspected compromise. More than ever, people are aware attackers can take over their devices using sophisticated methods. But, it’s mere suspicion for most. Phrases like my phone going haywire, some app is eating my data, my battery is not lasting long, etc are potential signs of compromise either by malware or an unauthorized party.
Initiation
The most important requirement while designing Pwned Report is to reduce the friction of installing an app or tool to analyze your device. It should be as simple as clicking a button and waiting for a result. Many sophisticated tools claim to scan your device and overwhelm the user with configurations, cumbersome UI, and technical jargon that most people don’t understand. I wanted Pwned Report be dead simple. A single click and you have your result. There are drawbacks which I will discuss later on. But at this point, I have chosen simplicity over functionality.
Secondly, it’s increasingly difficult to assess the security posture of a device just by analyzing a single device. Google & Apple are closing down APIs in the name of privacy and sensitivity which is hindering the detection routines. Hence, a different approach is needed where behavior and patterns across thousands of devices should be observed to make meaningful conclusions.
Components
Pwned Report has three components
- Instant app - A tiny instant app (Less than 2MB). You won’t need to install it from GooglePlay store. It launches automatically when you visit Scan. This choice was deliberately taken to avoid installing an app.
- Site - A landing page where users come to scan their devices. There is a single action button that instructs users to commence scanning. Once clicked, the instant app will launch and start scanning the device
- Backend - After scanning the device, any IOC, device usage patterns will be shipped to the server for analysis and tagging. No PII will be associated thereby preserving the user’s privacy
Internals
Pwned Report attempts to determine if your device is compromised by using different techniques. First, it checks if your device is rooted/jailbroken. This action is deliberately done by the user or nefariously by an unauthorized party. This check is comprised of multiple sub-tasks that scan for the presence of su (super-user), altered system partitions, modified configurations, etc. Secondly, it uses past usage patterns to look for odd signals that might be linked to compromise. These include suspicious apps that were installed, an app consuming (especially outbound/egress) data, an app with sensitive permission running in the background for prolonged intervals, etc
The first part of the check is static where the app looks for known IOC. This is what most “root checkers” on GooglePlay store do while the second part of the check relies on patterns that resemble malicious actors or have previously been reported as malicious. This is where Pwned Report shines. By aggregating usage patterns from thousands of devices, it can classify patterns that are dangerous, suspicious, or normal.
Drawbacks
AndroidOS puts a stricter limitation on what an instant app can access. These include permission, less visibility to installed apps, size of the app, etc. Hence, not all checks are performed during instant app scan and are deferred at a later point when the full app is installed. Secondly, judging compromise based on usage patterns is susceptible to false positives. It needs large data from multiple device profiles to reliably classify compromised devices.
Try it out
Visit Pwned Report to try it out. There are multiple backlog items that are on the pipeline. I will be sharing details in the coming weeks. Stay tuned!