Feature Request: Display risk score

[StephenQuirolgico]

Is it possible to add an overall Risk Score to Androwarn? I think this would greatly increase its value, particularly with MDM/EMM analysts that are responsible for ensuring the safety of apps on their organization's devices, but that do not have the expertise to know if a vulnerability detected by Androwarn is low, medium, high or critical risk. For most other Android static analyzers, the Common Vulnerability Scoring System (CVSS) is the standard used for describing risk. It seems that it would be a relatively light lift to add a CVSS score for the overall risk, as well as possibly for each of the underlying vulnerability categories. We are currently using Androwarn but its lack of risk scores is making its continued use less likely.

[richardPang517]

I'm also using androwarn to anlyze apks for now , and notice you said other android static analyzers can support CVSS. I wonder if you can mention some open-source examples. Thanks very much.

[StephenQuirolgico]

Hi Richard, MobSF is an open source Android and iOS analyzer that uses CVSS 2.0. https://github.com/MobSF/Mobile-Security-Framework-MobSF Steve

…

On Wed, Aug 28, 2019 at 3:43 AM richardPang517 ***@***.***> wrote: I'm also using androwarn to anlyze apks for now , and notice you said other android static analyzers can support CVSS. I wonder if you can mention some open-source examples. Thanks very much. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#20?email_source=notifications&email_token=ABF6RLPKEZ3ZE7KQLFXDUD3QGYUDJA5CNFSM4IPGG332YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD5KGKZA#issuecomment-525624676>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABF6RLLM3CFNYXF2SMMUDADQGYUDJANCNFSM4IPGG33Q> .

[richardPang517]

thanks, I also noticed this MobSF tool and haven't research much on it. I found out androwarn cannot correctly analyze some modern apks, possiblely because of non-ascii characters（based on error info). Perhaps it's a bit too old with old python.

[StephenQuirolgico]

Androwarn was just updated to work with Python 3.

…

On Wednesday, August 28, 2019, richardPang517 ***@***.***> wrote: thanks, I also noticed this MobSF tool and haven't research much on it. I found out androwarn cannot correctly analyze some modern apks, possiblely because of non-ascii characters（based on error info). Perhaps it's a bit too old with old python. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#20?email_source=notifications&email_token=ABF6RLP33OHD6I7TLEUB66DQG43WPA5CNFSM4IPGG332YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD5NCHVQ#issuecomment-526001110>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABF6RLIHR2UF3KDGWKGZXPTQG43WPANCNFSM4IPGG33Q> .