The Bluebox Security Scanner will scan your device to determine:
- If your system is vulnerable or patched to any of the "Fake ID" or "Master Key" security flaws affecting most Android devices
- If your system settings allow 'Untrusted Sources' application installs
- If any installed application on your device is trying to maliciously take advantage of any of the 'Master Key' security flaws
Further details of the Android "Fake ID" and "Master Key" security flaws are available at:
Effectively addressing a vulnerability requires three steps:
1) Google produces a generic code fix
2) Android phone manufacturers then incorporate that fix into a firmware update for various phones
3) Carriers then distribute the final update, which ensures your phone is safe
As regards Fake ID, Google has provided the generic code fix to the phone manufacturers who are working with the carriers to distribute the updates. This scanner will help track when that finally happens. Alternatively, contact customer support at your phone manufacturer or carrier a realtime update.
Candidate Wifi networks are auto-selected when you launch the app; you can review the list, then press the "Clean Me" button to remove unused networks. It is safe to remove open networks -- you can easily add them back at a later date by selecting them from the list of available Wifi networks.
- This app can find certain Wifi profiles that are not displayed under the normal Android settings list
- Some Wifi network profiles are embedded into the vendor firmware and cannot be removed
The Trustable by Bluebox app:
- Provides a consistent and on-going method to measure the security properties and trustability of a device, including any known vulnerabilities
- Computes a security-centric trust score in a range of 0.0 to 10.0, based up on all discovered information, including the analysis of various configuration and settings information
- Provides specific instructions for users to improve their device trust score
- Enables users to make informed decisions on which vendors/devices make below-average or above-average security decisions
The types of items that are represented in the trust score:
- Known system vulnerabilities on the device
- Insecure configurations caused by the device vendor
- Insecure configurations caused by the device user
- The amount of pre-installed applications, third party applications, “bloatware”, and other excessive device population
As mentioned above, the Trustable by Bluebox app provides a security-centric trust score in a range of 0.0 to 10.0, where a score of 0.0 represents an insecure and un-trustable device, and a score of 10.0 represents a device following above-average security best practices and having a good overall security state.
You can see the full description of what specific security-related aspects of the device are measured and analyzed to create the trust score here: https://bluebox.com/trustable-by-bluebox/
The Heartbleed vulnerability is a flaw in the OpenSSL library, used for secure communications.
Android devices ship with OpenSSL library by default. In addition, many apps will bundle their own copy of the library. The Bluebox Heartbleed Scanner from Bluebox Labs will check all of these copies and let you know if any appear to be vulnerable to the Heartbleed vulnerability.
For more information, please visit the Bluebox Labs writeup available at: https://bluebox.com/blog/technical/heartbleed-bug-impacts-mobile-devices/
• You need a Google Play account to install the app.
• After install, you also need a valid Bluebox account group ID to enroll with Bluebox. Please contact your administrator.
Founded in 2012 by a team of security experts, Bluebox Security offers the first mobile data security platform to safeguard corporate data across the device, application, and network. The cloud-based solution provides complete visibility and security of corporate data, while providing employees the freedom, ease of use, and privacy that ensures widespread adoption. Bluebox Security has received a total of $27.5 million in funding from Andreessen Horowitz, Tenaya Capital, Sun Microsystems co-founder, Andreas Bechtolsheim, SV Angel, and Google Board member Ram Shriram. The company is headquartered in San Francisco.
This application can be used on rooted or non-rooted devices:
- Devices with root access/SuperSu can manage (disabled/enable) the certificate authorities directly from the application
- Devices without root access can still examine the certificates on their device and view the certificate authorities and which groups those CAs are placed in
NOTE: If your device does not have root access you can still manage the CAs on your device, but you will need to disable/enable each one manually via Settings -> Security -> Trusted Credentials and then click each cert and use the "Disable"/"Enable" button that appears for each CA.