It takes a dedicated person to stay up-to-date on all of the security vulnerabilities in any given system, and that isn’t any different on Android. Thankfully for Android users, Duo Security has released a new DARPA-funded security app called X-Ray that will assist in identifying security holes on your Android device, because hey, who else is going to do it? Duo Security writes on the X-Ray official site that it developed this app in part because carriers typically drag their feet when it comes to pushing an update that will fix security flaws in Android, so with this app, they’re giving users the ability to test for these flaws themselves.
X-Ray is installed directly through an APK and isn’t available in the Google Play Store, so you’ll have to head over to xray.io if you want to download it. Duo Security says in an FAQ on the X-Ray site that the app looks for known privilege escalation vulnerabilities, which could potentially give malicious apps access to root privileges on your device.
“A number of such vulnerabilities have been discovered in the core Android platform, affecting nearly all Android devices,” Duo Security said. “Even more have been discovered in manufacturer-specific extensions that may affect a smaller subset of Android users.” One such vulnerability X-Ray is capable of identifying is Gingerbreak, which has been plaguing Android users for over a year now.
Unfortunately, X-Ray only identifies the security flaws and doesn’t actually fix them. If vulnerabilities are discovered, Duo Security suggests that you go to your carrier to see if there are updates available or install a third-party ROM like CyanogenMod that will patch the vulnerabilities. Of course, downloading a third-party mod can be a risky endeavor on its own, so Duo Security also suggests that you do your research before going down that road. You can find a full list of the vulnerabilities X-Ray scans for over on its official site, and even though the app doesn’t fix the flaws itself, it’s still looks like it’ll be a handy program to have installed on your device.
From it’s web, it says “requires no special privilege to operate.” But when try to install, it asks for (1) Storage and (2) Network communication. Full internet access!? Does it want to download or upload something? Would really like to try it but not until find out why first.
Wing: yep, it needs internet access to pull down the latest vulnerability info from the X-Ray cloud server. It also reports back the results for statistical purposes (see the FAQ for exactly what the info the app collects).
It needs the external storage privilege so that it can download an updated APK to the sdcard since it updates itself outside of the Play Store. Unfortunately, due to Google’s terms of service, we can’t distribute X-Ray through Play. :-/
FYI, most of the vulnerabilities that X-Ray detects can be exploited by a malicious app without requesting ANY permissions. So take Android permissions with a grain of salt. Asking for internet != unsafe, and asking for no permissions != safe.