X-Ray is Duo’s mobile app that performs “vulnerability assessment” on Android devices. Instead of scanning for malicious apps installed on the device like a mobile antivirus app would do (a nearly-intractable problem), X-Ray can identify known, yet unpatched, vulnerabilities in the mobile platform itself that could be exploited to take full control of users’ phones. As carriers are very conservative in rolling out patches to fix vulnerabilities in the Android platform, users’ mobile devices often remain vulnerable for months and even years.
...
Since we launched X-Ray, we’ve already collected results from over 20,000 Android devices worldwide. Based on these initial results, we estimate that over half of Android devices worldwide have unpatched vulnerabilities that could be exploited by a malicious app or adversary.
Yes, it’s a scary number, but it exemplifies how important expedient patching is to mobile security and how poorly the industry (carriers, device manufacturers, etc) has performed thus far. We feel this is actually a fairly conservative estimate based on our preliminary results, the current set of vulnerabilities detected by X-Ray, and the current distribution of Android versions globally.
Source
Some FAQs
What information does X-Ray collect from my device?
X-Ray collects information about your device, but not about you.
The collected information serves two purposes:
to determine whether your device is vulnerable, and
to collect statistics on just how many Android devices out there are vulnerable
This information is useful to apply pressure on carriers to actually fix the underlying problem, so your participation may end up improving the security of all Android users.
Specifically, X-Ray collects the version of your OS (eg. “2.3.6”), the make/model of your device (eg. “Samsung Nexus S”), your carrier's name (eg. “T-Mobile”), a randomly-generated device ID (eg. “9a17e3fedcde4695”), and potentially vulnerable software components (eg. “/system/bin/vold”). The information collected will not be shared any third-parties except in aggregate form (eg. a graph showing the total number of vulnerable devices).
Why is X-Ray not distributed through Google Play Store?
We definitely understand that users prefer to install apps from the Play Store, especially when they're security-related apps. Unfortunately, Google informed us that the terms of service of the Play Store disallow applications such as X-Ray that check for Android vulnerabilities.
Are these vulnerabilities unique to the Android platform?
Yes and no. All mobile platforms face vulnerabilities. Software has bugs, and many bugs can exploited by malicious parties in an attempt to take control of your device.
However, the impact of such vulnerabilities may be greater on the Android platform due to the lack of expedient patching by the carriers. Mobile platforms such as iOS may fare better at distributing patches for vulnerabilities more quickly since the updates come directly from Apple as opposed to the decentralized Android carriers.
Download a free copy and check your phone out
cheers ...
...
Since we launched X-Ray, we’ve already collected results from over 20,000 Android devices worldwide. Based on these initial results, we estimate that over half of Android devices worldwide have unpatched vulnerabilities that could be exploited by a malicious app or adversary.
Yes, it’s a scary number, but it exemplifies how important expedient patching is to mobile security and how poorly the industry (carriers, device manufacturers, etc) has performed thus far. We feel this is actually a fairly conservative estimate based on our preliminary results, the current set of vulnerabilities detected by X-Ray, and the current distribution of Android versions globally.
Source
Some FAQs
What information does X-Ray collect from my device?
X-Ray collects information about your device, but not about you.
The collected information serves two purposes:
to determine whether your device is vulnerable, and
to collect statistics on just how many Android devices out there are vulnerable
This information is useful to apply pressure on carriers to actually fix the underlying problem, so your participation may end up improving the security of all Android users.
Specifically, X-Ray collects the version of your OS (eg. “2.3.6”), the make/model of your device (eg. “Samsung Nexus S”), your carrier's name (eg. “T-Mobile”), a randomly-generated device ID (eg. “9a17e3fedcde4695”), and potentially vulnerable software components (eg. “/system/bin/vold”). The information collected will not be shared any third-parties except in aggregate form (eg. a graph showing the total number of vulnerable devices).
Why is X-Ray not distributed through Google Play Store?
We definitely understand that users prefer to install apps from the Play Store, especially when they're security-related apps. Unfortunately, Google informed us that the terms of service of the Play Store disallow applications such as X-Ray that check for Android vulnerabilities.
Are these vulnerabilities unique to the Android platform?
Yes and no. All mobile platforms face vulnerabilities. Software has bugs, and many bugs can exploited by malicious parties in an attempt to take control of your device.
However, the impact of such vulnerabilities may be greater on the Android platform due to the lack of expedient patching by the carriers. Mobile platforms such as iOS may fare better at distributing patches for vulnerabilities more quickly since the updates come directly from Apple as opposed to the decentralized Android carriers.
Download a free copy and check your phone out
cheers ...
